summaryrefslogtreecommitdiff
path: root/testing
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-11-01 13:32:07 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-11-01 13:32:07 +0100
commita54780509260a8cb6f0344f531da168b34410dd5 (patch)
tree477239a312679174252f39f7a80bc8bf33836d9a /testing
parent6e50941f7ce9c6f2d6888412968c7f4ffb495379 (diff)
parent5313d2d78ca150515f7f5eb39801c100690b6b29 (diff)
downloadvyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.tar.gz
vyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.zip
Merge tag 'upstream/5.1.1'
Upstream version 5.1.1
Diffstat (limited to 'testing')
-rw-r--r--testing/Makefile.in107
-rw-r--r--testing/config/kernel/config-3.112005
-rw-r--r--testing/hosts/default/etc/hosts2
-rw-r--r--testing/hosts/default/etc/iptables.rules4
-rw-r--r--testing/hosts/default/etc/pts/data.sql288
-rw-r--r--testing/hosts/default/etc/pts/tables.sql22
-rw-r--r--testing/hosts/winnetou/etc/bind/db.strongswan.org51
-rw-r--r--testing/scripts/recipes/003_freeradius.mk3
-rw-r--r--testing/scripts/recipes/013_strongswan.mk3
-rw-r--r--testing/scripts/recipes/patches/freeradius-avp-size18
-rw-r--r--testing/scripts/recipes/patches/freeradius-tnc-fhh6
-rw-r--r--testing/testing.conf74
-rw-r--r--testing/tests/ikev1/config-payload-push/description.txt8
-rw-r--r--testing/tests/ikev1/config-payload-push/evaltest.dat26
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf28
-rw-r--r--testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/ikev1/config-payload-push/posttest.dat6
-rw-r--r--testing/tests/ikev1/config-payload-push/pretest.dat10
-rw-r--r--testing/tests/ikev1/config-payload-push/test.conf21
-rw-r--r--testing/tests/ikev1/host2host-ah/description.txt5
-rw-r--r--testing/tests/ikev1/host2host-ah/evaltest.dat7
-rw-r--r--testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev1/host2host-ah/posttest.dat4
-rw-r--r--testing/tests/ikev1/host2host-ah/pretest.dat6
-rw-r--r--testing/tests/ikev1/host2host-ah/test.conf21
-rw-r--r--testing/tests/ikev1/net2net-ah/description.txt8
-rw-r--r--testing/tests/ikev1/net2net-ah/evaltest.dat11
-rw-r--r--testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev1/net2net-ah/posttest.dat4
-rw-r--r--testing/tests/ikev1/net2net-ah/pretest.dat6
-rw-r--r--testing/tests/ikev1/net2net-ah/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-ah/description.txt5
-rw-r--r--testing/tests/ikev2/host2host-ah/evaltest.dat7
-rw-r--r--testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/host2host-ah/posttest.dat4
-rw-r--r--testing/tests/ikev2/host2host-ah/pretest.dat6
-rw-r--r--testing/tests/ikev2/host2host-ah/test.conf21
-rw-r--r--testing/tests/ikev2/net2net-ah/description.txt7
-rw-r--r--testing/tests/ikev2/net2net-ah/evaltest.dat11
-rw-r--r--testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/net2net-ah/posttest.dat4
-rw-r--r--testing/tests/ikev2/net2net-ah/pretest.dat6
-rw-r--r--testing/tests/ikev2/net2net-ah/test.conf21
-rw-r--r--testing/tests/ikev2/net2net-dnscert/description.txt8
-rw-r--r--testing/tests/ikev2/net2net-dnscert/evaltest.dat9
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys10
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules28
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf1
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf20
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys10
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules28
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf1
-rw-r--r--testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf20
-rw-r--r--testing/tests/ikev2/net2net-dnscert/posttest.dat8
-rw-r--r--testing/tests/ikev2/net2net-dnscert/pretest.dat8
-rw-r--r--testing/tests/ikev2/net2net-dnscert/test.conf21
-rw-r--r--testing/tests/libipsec/host2host-cert/description.txt10
-rw-r--r--testing/tests/libipsec/host2host-cert/evaltest.dat7
-rw-r--r--testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf17
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/moon/etc/updown705
-rw-r--r--testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf19
-rw-r--r--testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf17
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/sun/etc/updown705
-rw-r--r--testing/tests/libipsec/host2host-cert/posttest.dat6
-rw-r--r--testing/tests/libipsec/host2host-cert/pretest.dat8
-rw-r--r--testing/tests/libipsec/host2host-cert/test.conf21
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt17
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat19
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt17
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat19
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/description.txt2
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets2
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/description.txt2
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem14
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets2
-rw-r--r--testing/tests/sql/net2net-route-pem/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql873
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql29
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/pretest.dat2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/description.txt12
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/evaltest.dat2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf25
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default43
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel32
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf1127
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf33
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/posttest.dat5
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/pretest.dat11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-os/description.txt2
-rw-r--r--testing/tests/tnc/tnccs-20-os/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql892
-rw-r--r--testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql45
-rw-r--r--testing/tests/tnc/tnccs-20-os/pretest.dat5
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/evaltest.dat2
-rw-r--r--testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat12
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf9
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem25
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem27
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules20
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql61
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules20
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options5
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf25
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules20
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options6
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf22
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/posttest.dat8
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/pretest.dat19
-rw-r--r--testing/tests/tnc/tnccs-20-pt-tls/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-pts/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql873
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql29
-rw-r--r--testing/tests/tnc/tnccs-20-pts/pretest.dat2
-rw-r--r--testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql793
-rw-r--r--testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf5
187 files changed, 7061 insertions, 3591 deletions
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c1f3e6269..85f118703 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-# Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -15,23 +14,51 @@
@SET_MAKE@
VPATH = @srcdir@
-am__make_dryrun = \
- { \
- am__dry=no; \
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
- echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \
- | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
- *) \
- for am__flg in $$MAKEFLAGS; do \
- case $$am__flg in \
- *=*|--*) ;; \
- *n*) am__dry=yes; break;; \
- esac; \
- done;; \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
esac; \
- test $$am__dry = yes; \
- }
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -51,13 +78,14 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = testing
-DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
$(top_srcdir)/m4/config/ltsugar.m4 \
$(top_srcdir)/m4/config/ltversion.m4 \
$(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
$(top_srcdir)/m4/macros/with.m4 \
$(top_srcdir)/m4/macros/enable-disable.m4 \
$(top_srcdir)/m4/macros/add-plugin.m4 \
@@ -68,12 +96,18 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
+am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
@@ -81,6 +115,7 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
@@ -155,6 +190,10 @@ PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
@@ -271,6 +310,7 @@ starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -321,11 +361,11 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-tags: TAGS
-TAGS:
+tags TAGS:
+
+ctags CTAGS:
-ctags: CTAGS
-CTAGS:
+cscope cscopelist:
distdir: $(DISTFILES)
@@ -461,15 +501,16 @@ uninstall-am:
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
- distclean distclean-generic distclean-libtool distdir dvi \
- dvi-am html html-am info info-am install install-am \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-generic \
- mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
+ cscopelist-am ctags-am distclean distclean-generic \
+ distclean-libtool distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags-am uninstall uninstall-am
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/testing/config/kernel/config-3.11 b/testing/config/kernel/config-3.11
new file mode 100644
index 000000000..a407dd5e1
--- /dev/null
+++ b/testing/config/kernel/config-3.11
@@ -0,0 +1,2005 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.11.6 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_UIDGID_CONVERTED=y
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_ZBUD is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+# CONFIG_SH_ETH is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_BATTERY_GOLDFISH is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_DJ is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_WRITECOUNT is not set
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index 0931f450e..75a8fdd2a 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -12,7 +12,7 @@
10.1.0.254 uml1.strongswan.org uml1
10.2.0.254 uml1.strongswan.org uml2
-10.1.0.10 alice.strongswan.org alice
+10.1.0.10 alice.strongswan.org alice aaa.strongswan.org
10.1.0.20 venus.strongswan.org venus
10.1.0.30 carol2.strongswan.org carol2
10.1.0.40 dave2.strongswan.org dave2
diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules
index c3f036cf9..b69e1429e 100644
--- a/testing/hosts/default/etc/iptables.rules
+++ b/testing/hosts/default/etc/iptables.rules
@@ -9,6 +9,10 @@
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
+# allow ah
+-A INPUT -i eth0 -p 51 -j ACCEPT
+-A OUTPUT -o eth0 -p 51 -j ACCEPT
+
# allow IKE
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql
index 35fd65753..241a99645 100644
--- a/testing/hosts/default/etc/pts/data.sql
+++ b/testing/hosts/default/etc/pts/data.sql
@@ -132,6 +132,42 @@ INSERT INTO products ( /* 22 */
'Android 4.2.1'
);
+INSERT INTO products ( /* 23 */
+ name
+) VALUES (
+ 'Ubuntu 13.10 i686'
+);
+
+INSERT INTO products ( /* 24 */
+ name
+) VALUES (
+ 'Ubuntu 13.10 x86_64'
+);
+
+INSERT INTO products ( /* 25 */
+ name
+) VALUES (
+ 'Debian 7.1 i686'
+);
+
+INSERT INTO products ( /* 26 */
+ name
+) VALUES (
+ 'Debian 7.1 x86_64'
+);
+
+INSERT INTO products ( /* 27 */
+ name
+) VALUES (
+ 'Debian 7.2 i686'
+);
+
+INSERT INTO products ( /* 28 */
+ name
+) VALUES (
+ 'Debian 7.2 x86_64'
+);
+
/* Directories */
INSERT INTO directories ( /* 1 */
@@ -287,109 +323,109 @@ INSERT INTO algorithms (
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
+ 28, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
+ 28, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
+ 28, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
+ 28, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
+ 28, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
+ 28, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
+ 28, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
+ 28, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
+ 28, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
+ 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
+ 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
+ 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
+ 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
+ 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
+ 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
+ 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
+ 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
);
INSERT INTO file_hashes (
product, file, algo, hash
) VALUES (
- 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
+ 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
);
/* Packages */
@@ -423,25 +459,25 @@ INSERT INTO packages ( /* 4 */
INSERT INTO versions (
package, product, release, time
) VALUES (
- 1, 4, '1.0.1e-2', 1366531494
+ 1, 28, '1.0.1e-2', 1366531494
);
INSERT INTO versions (
package, product, release, time
) VALUES (
- 2, 4, '1.0.1e-2', 1366531494
+ 2, 28, '1.0.1e-2', 1366531494
);
INSERT INTO versions (
package, product, release, time
) VALUES (
- 3, 4, '1.0.1e-2', 1366531494
+ 3, 28, '1.0.1e-2', 1366531494
);
INSERT INTO versions (
package, product, release, time
) VALUES (
- 4, 4, '1.0.1e-2', 1366531494
+ 4, 28, '1.0.1e-2', 1366531494
);
/* Components */
@@ -555,6 +591,18 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 4, 25
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 4, 27
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
5, 2
);
@@ -573,7 +621,13 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
- 6, 7
+ 5, 26
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 5, 28
);
INSERT INTO groups_product_defaults (
@@ -615,6 +669,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 6, 23
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
7, 8
);
@@ -657,6 +717,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 7, 24
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
3, 21
);
@@ -758,89 +824,237 @@ INSERT INTO policies ( /* 15 */
8, 'Get /system/lib', 14, 0, 0
);
+INSERT INTO policies ( /* 16 */
+ type, name, dir, rec_fail, rec_noresult
+) VALUES (
+ 9, 'Measure /bin', 1, 2, 2
+);
+
+INSERT INTO policies ( /* 17 */
+ type, name, argument, rec_fail, rec_noresult
+) VALUES (
+ 15, 'SWID Tag IDs', 'R', 2, 2
+);
+
+INSERT INTO policies ( /* 18 */
+ type, name, argument, rec_fail, rec_noresult
+) VALUES (
+ 15, 'SWID Tags', '', 2, 2
+);
+
/* Enforcements */
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 1 */
policy, group_id, max_age
) VALUES (
1, 1, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 2 */
policy, group_id, max_age
) VALUES (
2, 3, 0
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 3 */
policy, group_id, max_age
) VALUES (
3, 2, 0
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 4 */
policy, group_id, max_age
) VALUES (
5, 7, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 5 */
policy, group_id, max_age
) VALUES (
6, 7, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 6 */
policy, group_id, max_age
) VALUES (
7, 2, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 7 */
policy, group_id, max_age
) VALUES (
8, 1, 60
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 8 */
policy, group_id, max_age
) VALUES (
9, 1, 60
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 9 */
policy, group_id, max_age
) VALUES (
10, 2, 60
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 10 */
policy, group_id, max_age
) VALUES (
11, 10, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 11 */
policy, group_id, max_age
) VALUES (
12, 5, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 12 */
policy, group_id, max_age
) VALUES (
13, 5, 86400
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 13 */
policy, group_id, max_age
) VALUES (
14, 9, 0
);
-INSERT INTO enforcements (
+INSERT INTO enforcements ( /* 14 */
policy, group_id, max_age
) VALUES (
15, 9, 0
);
+/* regids */
+
+INSERT INTO regids ( /* 1 */
+ name
+) VALUES (
+ 'regid.1986-12.com.adobe'
+);
+
+INSERT INTO regids ( /* 2 */
+ name
+) VALUES (
+ 'regid.1991-06.com.microsoft'
+);
+
+INSERT INTO regids ( /* 3 */
+ name
+) VALUES (
+ 'regid.2004-05.com.ubuntu'
+);
+
+INSERT INTO regids ( /* 4 */
+ name
+) VALUES (
+ 'regid.1995-04.org.apache'
+);
+
+INSERT INTO regids ( /* 5 */
+ name
+) VALUES (
+ 'regid.1999-03.org.debian'
+);
+
+INSERT INTO regids ( /* 6 */
+ name
+) VALUES (
+ 'regid.1994-04.org.isc'
+);
+
+INSERT INTO regids ( /* 7 */
+ name
+) VALUES (
+ 'regid.1998-12.org.openssl'
+);
+
+INSERT INTO regids ( /* 8 */
+ name
+) VALUES (
+ 'regid.1998-01.org.samba'
+);
+
+INSERT INTO regids ( /* 9 */
+ name
+) VALUES (
+ 'regid.2002-08.org.sqlite'
+);
+
+INSERT INTO regids ( /* 10 */
+ name
+) VALUES (
+ 'regid.2004-03.org.strongswan'
+);
+
+/* Tags */
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 2, 'Windows-8-Pro'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'apache-2-2-22-13'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'bind-9-8-4-dfsg'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'libsqlite-3-7-13-1'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'libssl-1-0-1e-2'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'libssl-dev-1-0-1e-2'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'libssl-doc-1-0-1e-2'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'openssl-1-0-1e-2'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'smbclient-3-6-6-6'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 5, 'sqlite-3-7-13-1'
+);
+
+INSERT INTO tags (
+ regid, unique_sw_id
+) VALUES (
+ 10, 'strongSwan-5-1-1'
+);
+
diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql
index 4cc959e09..a0f3a4e8d 100644
--- a/testing/hosts/default/etc/pts/tables.sql
+++ b/testing/hosts/default/etc/pts/tables.sql
@@ -232,3 +232,25 @@ CREATE TABLE identities (
UNIQUE (type, value)
);
+DROP TABLE IF EXISTS regids;
+CREATE TABLE regids (
+ id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS regids_name;
+CREATE INDEX regids_name ON regids (
+ name
+);
+
+DROP TABLE IF EXISTS tags;
+CREATE TABLE tags (
+ id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ regid INTEGER NOT NULL REFERENCES regids(id),
+ unique_sw_id TEXT NOT NULL,
+ value TEXT
+);
+DROP INDEX IF EXISTS tags_name;
+CREATE INDEX tags_unique_sw_id ON tags (
+ unique_sw_id
+);
+
diff --git a/testing/hosts/winnetou/etc/bind/db.strongswan.org b/testing/hosts/winnetou/etc/bind/db.strongswan.org
index dfd2705cb..694e2cee1 100644
--- a/testing/hosts/winnetou/etc/bind/db.strongswan.org
+++ b/testing/hosts/winnetou/etc/bind/db.strongswan.org
@@ -31,6 +31,57 @@ crl IN CNAME winnetou.strongswan.org.
ldap IN CNAME winnetou.strongswan.org.
ocsp IN CNAME winnetou.strongswan.org.
;
+moon IN CERT ( 1 0 0
+ MIIEIjCCAwqgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+ b290IENBMB4XDTA5MDgyNzEwMDMzMloXDTE0MDgyNjEwMDMzMlowRjELMAkGA1UE
+ BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+ c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
+ L2M91Lu6BYYhWxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+
+ SWKGlm11rPE71eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yY
+ YpHk8VQv4vBJTpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+
+ 7TDnYaVsAtncgvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3
+ Om/G48crLEVJjdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVb
+ A6agGlTXhDCreDiXU8KHAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE
+ AwIDqDAdBgNVHQ4EFgQUapx00fiJeYn2WpTpifH6w2SdKS4wbQYDVR0jBGYwZIAU
+ XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+ AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr
+ BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+ b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCctXg2xeMozaTV
+ jiBL1P8MY9uEH5JtU0EceQ1RbI5/2vGRdnECND9oADY5vamaaE2Mdq2Qh/vlXnML
+ o3ii5ELjsQlYdTYZOcMOdcUUXYvbbFX1cwpkBhyBl1H25KptHcgQ/HnceKp3kOuq
+ wYOYjgwePXulcpWXx0E2QtQCFQQZFPyEWeNJxH0oglg53QPXfHY9I2/Gukj5V0bz
+ p7ME0Gs8KdnYdmbbDqzQgPsta96/m+HoJlsrVF+4Gqihj6BWMBQ2ybjPWZdG3oH9
+ 25cE8v60Ry98D0Z/tygbAUFnh5oOvaf642paVgc3aoA77I8U+UZjECxISoiHultY
+ 7QTufOwP
+ )
+sun IN CERT ( 1 0 0
+ MIIEIDCCAwigAwIBAgIBFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+ b290IENBMB4XDTA5MDgyNzA5NTkwNFoXDTE0MDgyNjA5NTkwNFowRTELMAkGA1UE
+ BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+ dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+V
+ VIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqqrQ3X917h7YNsSk68
+ oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5mimv/prYj6o0yawxoPjoDs9Y
+ h7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/4
+ 9YuxQ59DemY9IRbwsrKCHH0mGrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4
+ e0da1ntPCEQLeE833+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb
+ 8WNzRWB8Egh3BDK6FsECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+ AgOoMB0GA1UdDgQWBBRW1p4v2qihzRlcI1PnxbZwluML+zBtBgNVHSMEZjBkgBRd
+ p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+ EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+ BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+ Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAo37LYT9Awx0MK/nA
+ FZpPJqUr0Ey+O5Ukcsdx7nd00SlmpiQRY8KmuRXCBQnDEgdLstd3slQjT0pJEgWF
+ 0pzxybnI6eOzYAhLfhart+X1hURiNGbXjggm2s4I5+K32bVIkNEqlsYnd/6F9oo5
+ ZNO0/eTTruLZfkNe/zchBGKe/Z7MacVwlYWWCbMtBV4K1d5dGcRRgpQ9WivDlmat
+ Nh9wlscDSgSGk3HJkbxnq695VN7zUbDWAUvWWhV5bIDjlAR/xyT9ApqIxiyVVRul
+ fYrE7U05Hbt6GgAroAKLp6qJup9+TxQAKSjKIwJ0hf7OuYyQ8TZtVHS7AOhm+T/5
+ G/jGGA==
+ )
+;
moon IN IPSECKEY ( 10 1 2 192.168.0.1
AwEAAcovYz3Uu7oFhiFbFaAxL3P1MxJPCzObmuE7tkiwK0xGjg8B5jD7
75IZe3cI9dv/6n5JYoaWbXWs8TvV5Dd6GCHYLeEC6t+ZY7SJBBoLD592
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
index 7b7a5fe82..631c8b68a 100644
--- a/testing/scripts/recipes/003_freeradius.mk
+++ b/testing/scripts/recipes/003_freeradius.mk
@@ -1,6 +1,6 @@
#!/usr/bin/make
-PV = 2.2.0
+PV = 2.2.1
PKG = freeradius-server-$(PV)
TAR = $(PKG).tar.bz2
SRC = ftp://ftp.freeradius.org/pub/freeradius/$(TAR)
@@ -16,7 +16,6 @@ CONFIG_OPTS = \
PATCHES = \
freeradius-eap-sim-identity \
- freeradius-avp-size \
freeradius-tnc-fhh
all: install
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 6240d4228..85f80fe5b 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -43,6 +43,8 @@ CONFIG_OPTS = \
--enable-imv-os \
--enable-imc-attestation \
--enable-imv-attestation \
+ --enable-imc-swid \
+ --enable-imv-swid \
--enable-sql \
--enable-sqlite \
--enable-attr-sql \
@@ -73,6 +75,7 @@ CONFIG_OPTS = \
--enable-unity \
--enable-unbound \
--enable-ipseckey \
+ --enable-dnscert \
--enable-cmd \
--enable-libipsec \
--enable-kernel-libipsec \
diff --git a/testing/scripts/recipes/patches/freeradius-avp-size b/testing/scripts/recipes/patches/freeradius-avp-size
deleted file mode 100644
index e7e1f635b..000000000
--- a/testing/scripts/recipes/patches/freeradius-avp-size
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
-index 6c9bd13..3344c53 100644
---- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
-+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
-@@ -201,8 +201,11 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, SSL *ssl,
- goto next_attr;
- }
-
-- if (size > 253) {
-- RDEBUG2("WARNING: diameter2vp skipping long attribute %u, attr");
-+ /*
-+ * EAP-Message AVPs can be larger than 253 octets.
-+ */
-+ if ((size > 253) && !((VENDOR(attr) == 0) && (attr == PW_EAP_MESSAGE))) {
-+ RDEBUG2("WARNING: diameter2vp skipping long attribute %u", attr);
- goto next_attr;
- }
-
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
index 5abc6b25f..785538323 100644
--- a/testing/scripts/recipes/patches/freeradius-tnc-fhh
+++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh
@@ -5074,7 +5074,7 @@ diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc
*
*/
-#include <freeradius-devel/ident.h>
--RCSID("$Id$")
+-RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $")
-
-
-/*
@@ -5489,7 +5489,7 @@ diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc
*/
-#include <freeradius-devel/ident.h>
--RCSID("$Id$")
+-RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $")
+/*
+ * EAP-TNC Packet with EAP Header, general structure
+ *
@@ -6180,7 +6180,7 @@ diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc
- *
- */
-#include <freeradius-devel/ident.h>
--RCSID("$Id$")
+-RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $")
-
-#include "tncs_connect.h"
-#include <ltdl.h>
diff --git a/testing/testing.conf b/testing/testing.conf
index 638762f9b..21055b85a 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,64 +14,70 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
+TESTINGDIR=$(dirname `readlink -f ${BASH_SOURCE[0]}`)
+if [ -f $TESTINGDIR/testing.conf.local ]
+then
+ . $TESTINGDIR/testing.conf.local
+fi
+
# Root directory of testing
-TESTDIR=/srv/strongswan-testing
+: ${TESTDIR=/srv/strongswan-testing}
# Kernel configuration
-KERNELVERSION=3.8.1
-KERNEL=linux-$KERNELVERSION
-KERNELTARBALL=$KERNEL.tar.bz2
-KERNELCONFIG=$DIR/../config/kernel/config-3.8
-KERNELPATCH=ha-3.8-abicompat.patch.bz2
+: ${KERNELVERSION=3.11.6}
+: ${KERNEL=linux-$KERNELVERSION}
+: ${KERNELTARBALL=$KERNEL.tar.bz2}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-3.11}
+: ${KERNELPATCH=ha-3.11-abicompat.patch.bz2}
# strongSwan version used in tests
-SWANVERSION=5.0.3
+: ${SWANVERSION=5.1.1}
# Build directory where the guest kernel and images will be built
-BUILDDIR=$TESTDIR/build
+: ${BUILDDIR=$TESTDIR/build}
# Directory shared between host and guests
-SHAREDDIR=$BUILDDIR/shared
+: ${SHAREDDIR=$BUILDDIR/shared}
# Logfile
-LOGFILE=$BUILDDIR/testing.log
+: ${LOGFILE=$BUILDDIR/testing.log}
# Directory used for loop-mounts
-LOOPDIR=$BUILDDIR/loop
+: ${LOOPDIR=$BUILDDIR/loop}
# Common image settings
-IMGEXT=qcow2
-IMGDIR=$BUILDDIR/images
+: ${IMGEXT=qcow2}
+: ${IMGDIR=$BUILDDIR/images}
# Base image settings
# The base image is a pristine OS installation created using debootstrap.
-BASEIMGSIZE=1280
-BASEIMGSUITE=wheezy
-BASEIMGARCH=amd64
-BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT
-BASEIMGMIRROR=http://cdn.debian.net/debian
+: ${BASEIMGSIZE=1280}
+: ${BASEIMGSUITE=wheezy}
+: ${BASEIMGARCH=amd64}
+: ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
+: ${BASEIMGMIRROR=http://cdn.debian.net/debian}
# Root image settings
# The root image is the origin of all guest images. It is a clone of the base
# image and contains additional test-specific software and patches.
-ROOTIMG=$IMGDIR/root.$IMGEXT
+: ${ROOTIMG=$IMGDIR/root.$IMGEXT}
# libvirt config
-NBDEV=/dev/nbd0
-NBDPARTITION=${NBDEV}p1
-VIRTIMGSTORE=/var/lib/libvirt/images
-KVMUSER=libvirt-qemu
-KVMGROUP=kvm
+: ${NBDEV=/dev/nbd0}
+: ${NBDPARTITION=${NBDEV}p1}
+: ${VIRTIMGSTORE=/var/lib/libvirt/images}
+: ${KVMUSER=libvirt-qemu}
+: ${KVMGROUP=kvm}
# Directory where test results will be stored
-TESTRESULTSDIR=$TESTDIR/testresults
+: ${TESTRESULTSDIR=$TESTDIR/testresults}
##############################################################
# Enable particular steps in the make-testing
#
-ENABLE_BUILD_BASEIMAGE="yes"
-ENABLE_BUILD_ROOTIMAGE="yes"
-ENABLE_BUILD_GUESTKERNEL="yes"
-ENABLE_BUILD_GUESTIMAGES="yes"
+: ${ENABLE_BUILD_BASEIMAGE=yes}
+: ${ENABLE_BUILD_ROOTIMAGE=yes}
+: ${ENABLE_BUILD_GUESTKERNEL=yes}
+: ${ENABLE_BUILD_GUESTIMAGES=yes}
##############################################################
# hostname and corresponding IPv4 and IPv6 addresses
@@ -79,7 +85,7 @@ ENABLE_BUILD_GUESTIMAGES="yes"
# this means retain the netmasks!
# Also don't use IPs ending with 254, they are reserved!
#
-HOSTNAMEIPV4="\
+: ${HOSTNAMEIPV4="\
alice,10.1.0.10,192.168.0.50 \
venus,10.1.0.20 \
moon,192.168.0.1,10.1.0.1 \
@@ -87,9 +93,9 @@ carol,192.168.0.100,10.3.0.1 \
winnetou,192.168.0.150 \
dave,192.168.0.200,10.3.0.2 \
sun,192.168.0.2,10.2.0.1 \
-bob,10.2.0.10"
+bob,10.2.0.10"}
-HOSTNAMEIPV6="\
+: ${HOSTNAMEIPV6="\
alice,fec1::10,fec0::5 \
venus,fec1::20 \
moon,fec0::1,fec1::1 \
@@ -97,11 +103,11 @@ carol,fec0::10,fec3::1 \
winnetou,fec0::15 \
dave,fec0::20,fec3::2 \
sun,fec0::2,fec2::1 \
-bob,fec2::10"
+bob,fec2::10"}
##############################################################
# VPN gateways / clients
# The hosts stated here will be created. Possible values
# are sun, moon, dave, carol, alice, venus, bob, winnetou.
#
-STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"
+: ${STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"}
diff --git a/testing/tests/ikev1/config-payload-push/description.txt b/testing/tests/ikev1/config-payload-push/description.txt
new file mode 100644
index 000000000..36f47799e
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The gateway pushes <b>virtual IP</b> addresses to <b>carol</b> and <b>dave</b>via the IKEv1
+Mode Config protocol in <b>push</b> mode.
+<p/>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the
+client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings
+will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/config-payload-push/evaltest.dat b/testing/tests/ikev1/config-payload-push/evaltest.dat
new file mode 100644
index 000000000..b46dfddf6
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/evaltest.dat
@@ -0,0 +1,26 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e85a49e5a
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ modeconfig=push
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..c18221192
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ modeconfig=push
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..c144ae20e
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ modeconfig=push
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+
+conn rw-carol
+ right=%any
+ rightid=carol@strongswan.org
+ rightsourceip=PH_IP_CAROL1
+ auto=add
+
+conn rw-dave
+ right=%any
+ rightid=dave@strongswan.org
+ rightsourceip=PH_IP_DAVE1
+ auto=add
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..002166a54
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
+ dns1 = PH_IP_WINNETOU
+ dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev1/config-payload-push/posttest.dat b/testing/tests/ikev1/config-payload-push/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat
new file mode 100644
index 000000000..3864bdac3
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/config-payload-push/test.conf b/testing/tests/ikev1/config-payload-push/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev1/config-payload-push/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/host2host-ah/description.txt b/testing/tests/ikev1/host2host-ah/description.txt
new file mode 100644
index 000000000..dccdd52a4
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/description.txt
@@ -0,0 +1,5 @@
+An IPsec <b>AH transport-mode</b> connection using HMAC_SHA256 between the hosts
+<b>moon</b> and <b>sun</b> is successfully set up using IKEv1. <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the decrypted
+IP packets. In order to test the host-to-host connection <b>moon</b> pings
+<b>sun</b>.
diff --git a/testing/tests/ikev1/host2host-ah/evaltest.dat b/testing/tests/ikev1/host2host-ah/evaltest.dat
new file mode 100644
index 000000000..92695477a
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..a05e5d040
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev1
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ type=transport
+ ah=sha256!
+ auto=add
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6851ffb5c
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev1
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ type=transport
+ ah=sha256!
+ auto=add
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-ah/posttest.dat b/testing/tests/ikev1/host2host-ah/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat
new file mode 100644
index 000000000..99789b90f
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-ah/test.conf b/testing/tests/ikev1/host2host-ah/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/ikev1/host2host-ah/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-ah/description.txt b/testing/tests/ikev1/net2net-ah/description.txt
new file mode 100644
index 000000000..7ced7a551
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv1 protocol.
+With <b>ah=md5,sha1</b> gateway <b>moon</b> proposes the use of an
+<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
+with its <b>ah=sha1!</b> configuration.
+<p/>
+Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
+gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ah/evaltest.dat b/testing/tests/ikev1/net2net-ah/evaltest.dat
new file mode 100644
index 000000000..bf6234b55
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/evaltest.dat
@@ -0,0 +1,11 @@
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_MD5_96/NO_EXT_SEQ, AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..d062dfe57
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 3"
+
+conn %default
+ keyexchange=ikev1
+ ike=aes128-sha1-modp1536!
+ ah=md5,sha1
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..c374adfc4
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 3"
+
+conn %default
+ keyexchange=ikev1
+ ike=aes128-sha1-modp1536!
+ ah=sha1!
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/net2net-ah/posttest.dat b/testing/tests/ikev1/net2net-ah/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-ah/test.conf b/testing/tests/ikev1/net2net-ah/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev1/net2net-ah/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-ah/description.txt b/testing/tests/ikev2/host2host-ah/description.txt
new file mode 100644
index 000000000..11d814f8c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/description.txt
@@ -0,0 +1,5 @@
+An IPsec <b>AH transport-mode</b> connection using AES-XCBC between the hosts
+<b>moon</b> and <b>sun</b> is successfully set up. <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the decrypted
+IP packets. In order to test the host-to-host connection <b>moon</b> pings
+<b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-ah/evaltest.dat b/testing/tests/ikev2/host2host-ah/evaltest.dat
new file mode 100644
index 000000000..92695477a
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..535e3d491
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ type=transport
+ ah=aesxcbc
+ auto=add
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..9537c187b
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ type=transport
+ ah=aesxcbc
+ auto=add
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/host2host-ah/posttest.dat b/testing/tests/ikev2/host2host-ah/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat
new file mode 100644
index 000000000..99789b90f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-ah/test.conf b/testing/tests/ikev2/host2host-ah/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/ikev2/host2host-ah/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-ah/description.txt b/testing/tests/ikev2/net2net-ah/description.txt
new file mode 100644
index 000000000..a8ac7ee6b
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+With <b>ah=sha1-md5</b> gateway <b>moon</b> proposes the use of an
+<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
+with its <b>ah=sha1!</b> configuration.
+<p/>
+Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
+gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ah/evaltest.dat b/testing/tests/ikev2/net2net-ah/evaltest.dat
new file mode 100644
index 000000000..c5f2b1ecb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/evaltest.dat
@@ -0,0 +1,11 @@
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/HMAC_MD5_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..602119553
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 2"
+
+conn %default
+ keyexchange=ikev2
+ ike=aes128-sha1-modp1536!
+ ah=sha1-md5
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3f1ee5991
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 2"
+
+conn %default
+ keyexchange=ikev2
+ ike=aes128-sha1-modp1536!
+ ah=sha1!
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-ah/posttest.dat b/testing/tests/ikev2/net2net-ah/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ah/test.conf b/testing/tests/ikev2/net2net-ah/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ah/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-dnscert/description.txt b/testing/tests/ikev2/net2net-dnscert/description.txt
new file mode 100644
index 000000000..40c112bc4
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on trustworthy public keys stored as <b>CERT</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-dnscert/evaltest.dat b/testing/tests/ikev2/net2net-dnscert/evaltest.dat
new file mode 100644
index 000000000..effc9bc1f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3eaf60a1d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftid=moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftsendcert=never
+ leftauth=pubkey
+ leftfirewall=yes
+ right=sun.strongswan.org
+ rightid=sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ rightsendcert=never
+ rightauth=pubkey
+ auto=add
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e9c79b333
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown
+
+ plugins {
+ dnscert {
+ enable = yes
+ }
+ }
+}
+
+libstrongswan {
+ plugins {
+ unbound {
+ # trust_anchors = /etc/ipsec.d/dnssec.keys
+ # resolv_conf = /etc/resolv.conf
+ }
+ }
+}
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..75c4addda
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftid=sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftcert=sunCert.pem
+ leftsendcert=never
+ leftauth=pubkey
+ leftfirewall=yes
+ right=moon.strongswan.org
+ rightid=moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ rightauth=pubkey
+ auto=add
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..e9c79b333
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown
+
+ plugins {
+ dnscert {
+ enable = yes
+ }
+ }
+}
+
+libstrongswan {
+ plugins {
+ unbound {
+ # trust_anchors = /etc/ipsec.d/dnssec.keys
+ # resolv_conf = /etc/resolv.conf
+ }
+ }
+}
diff --git a/testing/tests/ikev2/net2net-dnscert/posttest.dat b/testing/tests/ikev2/net2net-dnscert/posttest.dat
new file mode 100644
index 000000000..c594c4dc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
+moon::rm /etc/ipsec.d/dnssec.keys
+sun::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat
new file mode 100644
index 000000000..0f4ae0f4f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-dnscert/test.conf b/testing/tests/ikev2/net2net-dnscert/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnscert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/host2host-cert/description.txt b/testing/tests/libipsec/host2host-cert/description.txt
new file mode 100644
index 000000000..b240515fb
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/description.txt
@@ -0,0 +1,10 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b>
+plugin is used for userland IPsec ESP encryption. <b>Firewall marks</b> are used to make
+the direct ESP connection possible and still allow IKE traffic to flow freely between
+the two hosts.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both host-to-host tunnel and firewall,
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat
new file mode 100644
index 000000000..105c2a4ed
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..6e8329a44
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftupdown=/etc/updown
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ auto=add
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d5c4d2718
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+ plugins {
+ kernel-netlink {
+ fwmark = !0x42
+ }
+ socket-default {
+ fwmark = 0x42
+ }
+ kernel-libipsec {
+ allow_peer_ts = yes
+ }
+ }
+}
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
new file mode 100755
index 000000000..aea6d8555
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..becb97e04
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..d5c4d2718
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+ plugins {
+ kernel-netlink {
+ fwmark = !0x42
+ }
+ socket-default {
+ fwmark = 0x42
+ }
+ kernel-libipsec {
+ allow_peer_ts = yes
+ }
+ }
+}
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
new file mode 100755
index 000000000..aea6d8555
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/host2host-cert/posttest.dat b/testing/tests/libipsec/host2host-cert/posttest.dat
new file mode 100644
index 000000000..8b6052f38
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system
+sun::sysctl --pattern net.ipv4.conf.all.rp_filter --system
diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat
new file mode 100644
index 000000000..d8d30af02
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/pretest.dat
@@ -0,0 +1,8 @@
+moon::sysctl -w net.ipv4.conf.all.rp_filter=2
+sun::sysctl -w net.ipv4.conf.all.rp_filter=2
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up host-host
diff --git a/testing/tests/libipsec/host2host-cert/test.conf b/testing/tests/libipsec/host2host-cert/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/libipsec/host2host-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
index 733592087..abb34ac91 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="knl 3, esp 3"
conn %default
ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
new file mode 100644
index 000000000..d0ae5a823
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas
+<b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support
+ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
new file mode 100644
index 000000000..b7606a48d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
@@ -0,0 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES
+dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..bfca8965f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0bbf93a18
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..2b16165dc
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..785772254
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..8c02c9fea
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0bbf93a18
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
new file mode 100644
index 000000000..78eb0ffb3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas
+<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support
+ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
new file mode 100644
index 000000000..5fb2073dd
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
@@ -0,0 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES
+dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..be85b6c1e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0bbf93a18
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..1adedc048
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..785772254
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..b4cd86c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0bbf93a18
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
index c1a3da88e..26e42c4b7 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
@@ -3,7 +3,7 @@ but because <b>carol</b> has set the strongswan.conf option <b>initiator_only =
she ignores the repeated IKE requests sent by <b>dave</b>.
<p/>
After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with 128 bit
+connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>128 bit</b>
security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
authenticated encryption.
<p/>
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
index d29ddb9ee..522a29607 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,5 +1,6 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
-AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
-rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
------END EC PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIGxMBwGCiqGSIb3DQEMAQMwDgQIMZeZ6WcLRQICAggABIGQVdFY4uNX+wTljx5B
+maey2lQKGzR1uWujrlgrnV5XUllz5riVLBQ62guQv2TWkQmwaiT503Fki+Hc+VfJ
+9CYAg9UjPuT/2H0e5wq0ZnWNJkpWY2LRpMeCkS4Tdww8PBINAoDraeLxtYLm2xsX
+mQ7raVahMTmSIO0YTkT7DJmevJAh2zYP7B613tY0PSKxcIdI
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
index 3d6725162..4e53ef91a 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: ECDSA carolKey.pem
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
index 24bb2b3df..b8cb4fb8b 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
@@ -3,7 +3,7 @@ but because <b>carol</b> has set the strongswan.conf option <b>initiator_only =
she ignores the repeated IKE requests sent by <b>dave</b>.
<p/>
After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with 192 bit
+connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>192 bit</b>
security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
authenticated encryption.
<p/>
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b94625718..52e044d5e 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,6 +1,8 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N
-6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3
-LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc
-4sE7plvsaodcU74GomtTHNt0dfDFaq0=
------END EC PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBJ620rnDFmACAggA
+MBQGCCqGSIb3DQMHBAh/kkTRYRcX+wSBwIWR0utZGuNjA73xHtLlpgEG+Bt3WfVk
+f/C5nSAIov9F3x1BdJ6il25cdcZBsq8/I15kWU9M5CyAnoHFNLcyAHcRK6NONqlr
+lFCrU0P5OBDbo6YbCVQKAufCCH1WIGdJvMKL5gaV4mytTrc0g8aYr+66lMKlMJb8
+43pzNGdEwLFfyrpKIFjysCIj30btCVzJWFDeBptmF9Vw0ST+x7x6FWjh2SRgnU10
+/0cs85hh6etFtXlUhzSw7P3abL/8zmWIHw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
index 3d6725162..4e53ef91a 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: ECDSA carolKey.pem
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index 3fd32907c..2c85542e6 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
+moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp/8\] with reqid {1}::YES
moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES
-sun:: cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
+sun:: cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp/8\] with reqid {2}::YES
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
deleted file mode 100644
index 090eb47ff..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
+++ /dev/null
@@ -1,873 +0,0 @@
-/* Products */
-
-INSERT INTO products ( /* 1 */
- name
-) VALUES (
- 'Debian 6.0 i686'
-);
-
-INSERT INTO products ( /* 2 */
- name
-) VALUES (
- 'Debian 6.0 x86_64'
-);
-
-INSERT INTO products ( /* 3 */
- name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products ( /* 4 */
- name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products ( /* 5 */
- name
-) VALUES (
- 'Debian 8.0 i686'
-);
-
-INSERT INTO products ( /* 6 */
- name
-) VALUES (
- 'Debian 8.0 x86_64'
-);
-
-INSERT INTO products ( /* 7 */
- name
-) VALUES (
- 'Ubuntu 10.04 i686'
-);
-
-INSERT INTO products ( /* 8 */
- name
-) VALUES (
- 'Ubuntu 10.04 x86_64'
-);
-
-INSERT INTO products ( /* 9 */
- name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products ( /* 10 */
- name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products ( /* 11 */
- name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products ( /* 12 */
- name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products ( /* 13 */
- name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products ( /* 14 */
- name
-) VALUES (
- 'Ubuntu 11.10 x86_64'
-);
-
-INSERT INTO products ( /* 15 */
- name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products ( /* 16 */
- name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products ( /* 17 */
- name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products ( /* 18 */
- name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO products ( /* 19 */
- name
-) VALUES (
- 'Ubuntu 13.04 i686'
-);
-
-INSERT INTO products ( /* 20 */
- name
-) VALUES (
- 'Ubuntu 13.04 x86_64'
-);
-
-INSERT INTO products ( /* 21 */
- name
-) VALUES (
- 'Android 4.1.1'
-);
-
-INSERT INTO products ( /* 22 */
- name
-) VALUES (
- 'Android 4.2.1'
-);
-
-/* Directories */
-
-INSERT INTO directories ( /* 1 */
- path
-) VALUES (
- '/bin'
-);
-
-INSERT INTO directories ( /* 2 */
- path
-) VALUES (
- '/etc'
-);
-
-INSERT INTO directories ( /* 3 */
- path
-) VALUES (
- '/lib'
-);
-
-INSERT INTO directories ( /* 4 */
- path
-) VALUES (
- '/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 5 */
- path
-) VALUES (
- '/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 6 */
- path
-) VALUES (
- '/lib/xtables'
-);
-
-INSERT INTO directories ( /* 7 */
- path
-) VALUES (
- '/sbin'
-);
-
-INSERT INTO directories ( /* 8 */
- path
-) VALUES (
- '/usr/bin'
-);
-
-INSERT INTO directories ( /* 9 */
- path
-) VALUES (
- '/usr/lib'
-);
-
-INSERT INTO directories ( /* 10 */
- path
-) VALUES (
- '/usr/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 11 */
- path
-) VALUES (
- '/usr/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 12 */
- path
-) VALUES (
- '/usr/sbin'
-);
-
-INSERT INTO directories ( /* 13 */
- path
-) VALUES (
- '/system/bin'
-);
-
-INSERT INTO directories ( /* 14 */
- path
-) VALUES (
- '/system/lib'
-);
-
-/* Files */
-
-INSERT INTO files ( /* 1 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 2 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 3 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 4 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 5 */
- name, dir
-) VALUES (
- 'openssl', 8
-);
-
-INSERT INTO files ( /* 6 */
- name, dir
-) VALUES (
- 'tnc_config', 2
-);
-
-/* Algorithms */
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 65536, 'SHA1-IMA'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 32768, 'SHA1'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 16384, 'SHA256'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 8192, 'SHA384'
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
-);
-
-/* Packages */
-
-INSERT INTO packages ( /* 1 */
- name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages ( /* 2 */
- name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages ( /* 3 */
- name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages ( /* 4 */
- name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 1, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 2, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 3, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 4, 4, '1.0.1e-2', 1366531494
-);
-
-/* Components */
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 1, 33 /* ITA TGRUB */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 2, 33 /* ITA TBOOT */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 33 /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 34 /* ITA IMA - Operating System */
-);
-
-/* Groups */
-
-INSERT INTO groups ( /* 1 */
- name
-) VALUES (
- 'Default'
-);
-
-INSERT INTO groups ( /* 2 */
- name, parent
-) VALUES (
- 'Linux', 1
-);
-
-INSERT INTO groups ( /* 3 */
- name, parent
-) VALUES (
- 'Android', 1
-);
-
-INSERT INTO groups ( /* 4 */
- name, parent
-) VALUES (
- 'Debian i686', 2
-);
-
-INSERT INTO groups ( /* 5 */
- name, parent
-) VALUES (
- 'Debian x86_64', 2
-);
-
-INSERT INTO groups ( /* 6 */
- name, parent
-) VALUES (
- 'Ubuntu i686', 2
-);
-
-INSERT INTO groups ( /* 7 */
- name, parent
-) VALUES (
- 'Ubuntu x86_64', 2
-);
-
-INSERT INTO groups ( /* 8 */
- name
-) VALUES (
- 'Reference'
-);
-
-INSERT INTO groups ( /* 9 */
- name, parent
-) VALUES (
- 'Ref. Android', 8
-);
-
-INSERT INTO groups ( /* 10 */
- name, parent
-) VALUES (
- 'Ref. Linux', 8
-);
-
-/* Default Product Groups */
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 1
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 3
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 5
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 2
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 4
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 6
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 7
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 9
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 11
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 13
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 15
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 17
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 19
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 8
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 10
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 12
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 14
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 16
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 18
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 20
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 21
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 22
-);
-
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-) VALUES (
- 'aabbccddeeff11223344556677889900', 4, 1372330615
-);
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 10, 1
-);
-
-/* Policies */
-
-INSERT INTO policies ( /* 1 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 1, 'Installed Packages', 2, 2
-);
-
-INSERT INTO policies ( /* 2 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 2, 'Unknown Source', 2, 2
-);
-
-INSERT INTO policies ( /* 3 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 3, 'IP Forwarding Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 4 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 4, 'Default Factory Password Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 5 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
-);
-
-INSERT INTO policies ( /* 6 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
-);
-
-INSERT INTO policies ( /* 7 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/bin/openssl', 5, 2, 2
-);
-
-INSERT INTO policies ( /* 8 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 11, 'No Open TCP Ports', 1, 1
-);
-
-INSERT INTO policies ( /* 9 */
- type, name, argument, rec_fail, rec_noresult
-) VALUES (
- 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
-);
-
-INSERT INTO policies ( /* 10 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 7, 'Metadata of /etc/tnc_config', 6, 0, 0
-);
-
-INSERT INTO policies ( /* 11 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /bin', 1, 0, 0
-);
-
-INSERT INTO policies ( /* 12 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
-);
-
-INSERT INTO policies ( /* 13 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
-);
-
-INSERT INTO policies ( /* 14 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/bin', 13, 0, 0
-);
-
-INSERT INTO policies ( /* 15 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/lib', 14, 0, 0
-);
-
-INSERT INTO policies ( /* 16 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 9, 'Measure /bin', 1, 2, 2
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 2, 3, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 2, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 5, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 6, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 7, 2, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 8, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 9, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 10, 2, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 11, 10, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 12, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 13, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 14, 9, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 15, 9, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 16, 2, 0
-);
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
new file mode 100644
index 000000000..2bb7e7924
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
index 5f94f8dbb..a991d05ea 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt
new file mode 100644
index 000000000..6505750b2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/description.txt
@@ -0,0 +1,12 @@
+The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network
+via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS
+server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel
+each via <b>moon</b> to the <a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
+by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by switch <b>moon</b> to the "allow" and "isolate" VLANs, respectively.
diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
new file mode 100644
index 000000000..2d43b3c7b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
@@ -0,0 +1,2 @@
+carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES
+dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+ tls {
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+ ttls {
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ tnc_virtual_server = "inner-tunnel-second"
+ }
+}
+
+eap eap_tnc {
+ default_eap_type = tnc
+ tnc {
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+ eap_tnc {
+ ok = return
+ }
+}
+
+authenticate {
+ eap_tnc
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ if (control:TNC-Status == "Access") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "allow"
+ }
+ }
+ elsif (control:TNC-Status == "Isolate") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "isolate"
+ }
+ }
+
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..45050f7e1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+ debug_level = 3
+ assessment_result = no
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f24455975
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
@@ -0,0 +1 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..71fbae695
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+ debug_level = 3
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..b4288fd53
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
new file mode 100644
index 000000000..92d84f570
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
@@ -0,0 +1,10 @@
+ network={
+ ssid="eap_ttls"
+ scan_ssid=0
+ key_mgmt=IEEE8021X
+ eap=TTLS
+ identity="carol"
+ password="Ar3etTnp"
+ ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
+ id_str=""
+ }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f24455975
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
@@ -0,0 +1 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..4ce2769f2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+ debug_level = 3
+ plugins {
+ imc-test {
+ command = isolate
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..b4288fd53
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
new file mode 100644
index 000000000..37a343df6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
@@ -0,0 +1,10 @@
+ network={
+ ssid="eap_ttls"
+ scan_ssid=0
+ key_mgmt=IEEE8021X
+ eap=TTLS
+ identity="dave"
+ password="W7R0g3do"
+ ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
+ id_str=""
+ }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
new file mode 100644
index 000000000..c84fcbd91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
@@ -0,0 +1,1127 @@
+##### hostapd configuration file ##############################################
+# Empty lines and lines starting with # are ignored
+
+# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
+# management frames); ath0 for madwifi
+interface=eth0
+
+# In case of madwifi, atheros, and nl80211 driver interfaces, an additional
+# configuration parameter, bridge, may be used to notify hostapd if the
+# interface is included in a bridge. This parameter is not used with Host AP
+# driver. If the bridge parameter is not set, the drivers will automatically
+# figure out the bridge interface (assuming sysfs is enabled and mounted to
+# /sys) and this parameter may not be needed.
+#
+# For nl80211, this parameter can be used to request the AP interface to be
+# added to the bridge automatically (brctl may refuse to do this before hostapd
+# has been started to change the interface mode). If needed, the bridge
+# interface is also created.
+#bridge=br0
+
+# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
+# default: hostap). nl80211 is used with all Linux mac80211 drivers.
+# Use driver=none if building hostapd as a standalone RADIUS server that does
+# not control any wireless/wired driver.
+driver=wired
+
+# hostapd event logger configuration
+#
+# Two output method: syslog and stdout (only usable if not forking to
+# background).
+#
+# Module bitfield (ORed bitfield of modules that will be logged; -1 = all
+# modules):
+# bit 0 (1) = IEEE 802.11
+# bit 1 (2) = IEEE 802.1X
+# bit 2 (4) = RADIUS
+# bit 3 (8) = WPA
+# bit 4 (16) = driver interface
+# bit 5 (32) = IAPP
+# bit 6 (64) = MLME
+#
+# Levels (minimum value for logged events):
+# 0 = verbose debugging
+# 1 = debugging
+# 2 = informational messages
+# 3 = notification
+# 4 = warning
+#
+logger_syslog=-1
+logger_syslog_level=2
+logger_stdout=-1
+logger_stdout_level=0
+
+# Dump file for state information (on SIGUSR1)
+dump_file=/tmp/hostapd.dump
+
+# Interface for separate control program. If this is specified, hostapd
+# will create this directory and a UNIX domain socket for listening to requests
+# from external programs (CLI/GUI, etc.) for status information and
+# configuration. The socket file will be named based on the interface name, so
+# multiple hostapd processes/interfaces can be run at the same time if more
+# than one interface is used.
+# /var/run/hostapd is the recommended directory for sockets and by default,
+# hostapd_cli will use it when trying to connect with hostapd.
+ctrl_interface=/var/run/hostapd
+
+# Access control for the control interface can be configured by setting the
+# directory to allow only members of a group to use sockets. This way, it is
+# possible to run hostapd as root (since it needs to change network
+# configuration and open raw sockets) and still allow GUI/CLI components to be
+# run as non-root users. However, since the control interface can be used to
+# change the network configuration, this access needs to be protected in many
+# cases. By default, hostapd is configured to use gid 0 (root). If you
+# want to allow non-root users to use the contron interface, add a new group
+# and change this value to match with that group. Add users that should have
+# control interface access to this group.
+#
+# This variable can be a group name or gid.
+#ctrl_interface_group=wheel
+ctrl_interface_group=0
+
+
+##### IEEE 802.11 related configuration #######################################
+
+# SSID to be used in IEEE 802.11 management frames
+#ssid=test
+
+# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
+# Set as needed to indicate country in which device is operating.
+# This can limit available channels and transmit power.
+#country_code=US
+
+# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
+# channels and transmit power levels based on the regulatory limits. The
+# country_code setting must be configured with the correct country for
+# IEEE 802.11d functions.
+# (default: 0 = disabled)
+#ieee80211d=1
+
+# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
+# Default: IEEE 802.11b
+hw_mode=g
+
+# Channel number (IEEE 802.11)
+# (default: 0, i.e., not set)
+# Please note that some drivers do not use this value from hostapd and the
+# channel will need to be configured separately with iwconfig.
+channel=1
+
+# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
+beacon_int=100
+
+# DTIM (delivery traffic information message) period (range 1..255):
+# number of beacons between DTIMs (1 = every beacon includes DTIM element)
+# (default: 2)
+dtim_period=2
+
+# Maximum number of stations allowed in station table. New stations will be
+# rejected after the station table is full. IEEE 802.11 has a limit of 2007
+# different association IDs, so this number should not be larger than that.
+# (default: 2007)
+max_num_sta=255
+
+# RTS/CTS threshold; 2347 = disabled (default); range 0..2347
+# If this field is not included in hostapd.conf, hostapd will not control
+# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it.
+rts_threshold=2347
+
+# Fragmentation threshold; 2346 = disabled (default); range 256..2346
+# If this field is not included in hostapd.conf, hostapd will not control
+# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set
+# it.
+fragm_threshold=2346
+
+# Rate configuration
+# Default is to enable all rates supported by the hardware. This configuration
+# item allows this list be filtered so that only the listed rates will be left
+# in the list. If the list is empty, all rates are used. This list can have
+# entries that are not in the list of rates the hardware supports (such entries
+# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
+# If this item is present, at least one rate have to be matching with the rates
+# hardware supports.
+# default: use the most common supported rate setting for the selected
+# hw_mode (i.e., this line can be removed from configuration file in most
+# cases)
+#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
+
+# Basic rate set configuration
+# List of rates (in 100 kbps) that are included in the basic rate set.
+# If this item is not included, usually reasonable default set is used.
+#basic_rates=10 20
+#basic_rates=10 20 55 110
+#basic_rates=60 120 240
+
+# Short Preamble
+# This parameter can be used to enable optional use of short preamble for
+# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance.
+# This applies only to IEEE 802.11b-compatible networks and this should only be
+# enabled if the local hardware supports use of short preamble. If any of the
+# associated STAs do not support short preamble, use of short preamble will be
+# disabled (and enabled when such STAs disassociate) dynamically.
+# 0 = do not allow use of short preamble (default)
+# 1 = allow use of short preamble
+#preamble=1
+
+# Station MAC address -based authentication
+# Please note that this kind of access control requires a driver that uses
+# hostapd to take care of management frame processing and as such, this can be
+# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
+# 0 = accept unless in deny list
+# 1 = deny unless in accept list
+# 2 = use external RADIUS server (accept/deny lists are searched first)
+macaddr_acl=0
+
+# Accept/deny lists are read from separate files (containing list of
+# MAC addresses, one per line). Use absolute path name to make sure that the
+# files can be read on SIGHUP configuration reloads.
+#accept_mac_file=/etc/hostapd.accept
+#deny_mac_file=/etc/hostapd.deny
+
+# IEEE 802.11 specifies two authentication algorithms. hostapd can be
+# configured to allow both of these or only one. Open system authentication
+# should be used with IEEE 802.1X.
+# Bit fields of allowed authentication algorithms:
+# bit 0 = Open System Authentication
+# bit 1 = Shared Key Authentication (requires WEP)
+auth_algs=3
+
+# Send empty SSID in beacons and ignore probe request frames that do not
+# specify full SSID, i.e., require stations to know SSID.
+# default: disabled (0)
+# 1 = send empty (length=0) SSID in beacon and ignore probe request for
+# broadcast SSID
+# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
+# with some clients that do not support empty SSID) and ignore probe
+# requests for broadcast SSID
+ignore_broadcast_ssid=0
+
+# TX queue parameters (EDCF / bursting)
+# tx_queue_<queue name>_<param>
+# queues: data0, data1, data2, data3, after_beacon, beacon
+# (data0 is the highest priority queue)
+# parameters:
+# aifs: AIFS (default 2)
+# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
+# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
+# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
+# bursting
+#
+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
+# These parameters are used by the access point when transmitting frames
+# to the clients.
+#
+# Low priority / AC_BK = background
+#tx_queue_data3_aifs=7
+#tx_queue_data3_cwmin=15
+#tx_queue_data3_cwmax=1023
+#tx_queue_data3_burst=0
+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
+#
+# Normal priority / AC_BE = best effort
+#tx_queue_data2_aifs=3
+#tx_queue_data2_cwmin=15
+#tx_queue_data2_cwmax=63
+#tx_queue_data2_burst=0
+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
+#
+# High priority / AC_VI = video
+#tx_queue_data1_aifs=1
+#tx_queue_data1_cwmin=7
+#tx_queue_data1_cwmax=15
+#tx_queue_data1_burst=3.0
+# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
+#
+# Highest priority / AC_VO = voice
+#tx_queue_data0_aifs=1
+#tx_queue_data0_cwmin=3
+#tx_queue_data0_cwmax=7
+#tx_queue_data0_burst=1.5
+# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
+
+# 802.1D Tag (= UP) to AC mappings
+# WMM specifies following mapping of data frames to different ACs. This mapping
+# can be configured using Linux QoS/tc and sch_pktpri.o module.
+# 802.1D Tag 802.1D Designation Access Category WMM Designation
+# 1 BK AC_BK Background
+# 2 - AC_BK Background
+# 0 BE AC_BE Best Effort
+# 3 EE AC_BE Best Effort
+# 4 CL AC_VI Video
+# 5 VI AC_VI Video
+# 6 VO AC_VO Voice
+# 7 NC AC_VO Voice
+# Data frames with no priority information: AC_BE
+# Management frames: AC_VO
+# PS-Poll frames: AC_BE
+
+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
+# for 802.11a or 802.11g networks
+# These parameters are sent to WMM clients when they associate.
+# The parameters will be used by WMM clients for frames transmitted to the
+# access point.
+#
+# note - txop_limit is in units of 32microseconds
+# note - acm is admission control mandatory flag. 0 = admission control not
+# required, 1 = mandatory
+# note - here cwMin and cmMax are in exponent form. the actual cw value used
+# will be (2^n)-1 where n is the value given here
+#
+wmm_enabled=1
+#
+# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
+# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
+#uapsd_advertisement_enabled=1
+#
+# Low priority / AC_BK = background
+wmm_ac_bk_cwmin=4
+wmm_ac_bk_cwmax=10
+wmm_ac_bk_aifs=7
+wmm_ac_bk_txop_limit=0
+wmm_ac_bk_acm=0
+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
+#
+# Normal priority / AC_BE = best effort
+wmm_ac_be_aifs=3
+wmm_ac_be_cwmin=4
+wmm_ac_be_cwmax=10
+wmm_ac_be_txop_limit=0
+wmm_ac_be_acm=0
+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
+#
+# High priority / AC_VI = video
+wmm_ac_vi_aifs=2
+wmm_ac_vi_cwmin=3
+wmm_ac_vi_cwmax=4
+wmm_ac_vi_txop_limit=94
+wmm_ac_vi_acm=0
+# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
+#
+# Highest priority / AC_VO = voice
+wmm_ac_vo_aifs=2
+wmm_ac_vo_cwmin=2
+wmm_ac_vo_cwmax=3
+wmm_ac_vo_txop_limit=47
+wmm_ac_vo_acm=0
+# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
+
+# Static WEP key configuration
+#
+# The key number to use when transmitting.
+# It must be between 0 and 3, and the corresponding key must be set.
+# default: not set
+#wep_default_key=0
+# The WEP keys to use.
+# A key may be a quoted string or unquoted hexadecimal digits.
+# The key length should be 5, 13, or 16 characters, or 10, 26, or 32
+# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
+# 128-bit (152-bit) WEP is used.
+# Only the default key must be supplied; the others are optional.
+# default: not set
+#wep_key0=123456789a
+#wep_key1="vwxyz"
+#wep_key2=0102030405060708090a0b0c0d
+#wep_key3=".2.4.6.8.0.23"
+
+# Station inactivity limit
+#
+# If a station does not send anything in ap_max_inactivity seconds, an
+# empty data frame is sent to it in order to verify whether it is
+# still in range. If this frame is not ACKed, the station will be
+# disassociated and then deauthenticated. This feature is used to
+# clear station table of old entries when the STAs move out of the
+# range.
+#
+# The station can associate again with the AP if it is still in range;
+# this inactivity poll is just used as a nicer way of verifying
+# inactivity; i.e., client will not report broken connection because
+# disassociation frame is not sent immediately without first polling
+# the STA with a data frame.
+# default: 300 (i.e., 5 minutes)
+ap_max_inactivity=30
+
+# Disassociate stations based on excessive transmission failures or other
+# indications of connection loss. This depends on the driver capabilities and
+# may not be available with all drivers.
+#disassoc_low_ack=1
+
+# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to
+# remain asleep). Default: 65535 (no limit apart from field size)
+#max_listen_interval=100
+
+# WDS (4-address frame) mode with per-station virtual interfaces
+# (only supported with driver=nl80211)
+# This mode allows associated stations to use 4-address frames to allow layer 2
+# bridging to be used.
+#wds_sta=1
+
+# If bridge parameter is set, the WDS STA interface will be added to the same
+# bridge by default. This can be overridden with the wds_bridge parameter to
+# use a separate bridge.
+#wds_bridge=wds-br0
+
+# Client isolation can be used to prevent low-level bridging of frames between
+# associated stations in the BSS. By default, this bridging is allowed.
+#ap_isolate=1
+
+##### IEEE 802.11n related configuration ######################################
+
+# ieee80211n: Whether IEEE 802.11n (HT) is enabled
+# 0 = disabled (default)
+# 1 = enabled
+# Note: You will also need to enable WMM for full HT functionality.
+#ieee80211n=1
+
+# ht_capab: HT capabilities (list of flags)
+# LDPC coding capability: [LDPC] = supported
+# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
+# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz
+# with secondary channel below the primary channel
+# (20 MHz only if neither is set)
+# Note: There are limits on which channels can be used with HT40- and
+# HT40+. Following table shows the channels that may be available for
+# HT40- and HT40+ use per IEEE 802.11n Annex J:
+# freq HT40- HT40+
+# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
+# 5 GHz 40,48,56,64 36,44,52,60
+# (depending on the location, not all of these channels may be available
+# for use)
+# Please note that 40 MHz channels may switch their primary and secondary
+# channels if needed or creation of 40 MHz channel maybe rejected based
+# on overlapping BSSes. These changes are done automatically when hostapd
+# is setting up the 40 MHz channel.
+# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC]
+# (SMPS disabled if neither is set)
+# HT-greenfield: [GF] (disabled if not set)
+# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
+# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
+# Tx STBC: [TX-STBC] (disabled if not set)
+# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
+# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
+# disabled if none of these set
+# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
+# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
+# set)
+# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
+# PSMP support: [PSMP] (disabled if not set)
+# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
+#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
+
+# Require stations to support HT PHY (reject association if they do not)
+#require_ht=1
+
+##### IEEE 802.1X-2004 related configuration ##################################
+
+# Require IEEE 802.1X authorization
+ieee8021x=1
+
+# IEEE 802.1X/EAPOL version
+# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
+# version 2. However, there are many client implementations that do not handle
+# the new version number correctly (they seem to drop the frames completely).
+# In order to make hostapd interoperate with these clients, the version number
+# can be set to the older version (1) with this configuration value.
+#eapol_version=2
+
+# Optional displayable message sent with EAP Request-Identity. The first \0
+# in this string will be converted to ASCII-0 (nul). This can be used to
+# separate network info (comma separated list of attribute=value pairs); see,
+# e.g., RFC 4284.
+#eap_message=hello
+#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
+
+# WEP rekeying (disabled if key lengths are not set or are set to 0)
+# Key lengths for default/broadcast and individual/unicast keys:
+# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
+# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
+#wep_key_len_broadcast=5
+#wep_key_len_unicast=5
+# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
+#wep_rekey_period=300
+
+# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
+# only broadcast keys are used)
+eapol_key_index_workaround=0
+
+# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
+# reauthentication).
+#eap_reauth_period=3600
+
+# Use PAE group address (01:80:c2:00:00:03) instead of individual target
+# address when sending EAPOL frames with driver=wired. This is the most common
+# mechanism used in wired authentication, but it also requires that the port
+# is only used by one station.
+#use_pae_group_addr=1
+
+##### Integrated EAP server ###################################################
+
+# Optionally, hostapd can be configured to use an integrated EAP server
+# to process EAP authentication locally without need for an external RADIUS
+# server. This functionality can be used both as a local authentication server
+# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
+
+# Use integrated EAP server instead of external RADIUS authentication
+# server. This is also needed if hostapd is configured to act as a RADIUS
+# authentication server.
+eap_server=0
+
+# Path for EAP server user database
+#eap_user_file=/etc/hostapd.eap_user
+
+# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
+#ca_cert=/etc/hostapd.ca.pem
+
+# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
+#server_cert=/etc/hostapd.server.pem
+
+# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
+# This may point to the same file as server_cert if both certificate and key
+# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
+# used by commenting out server_cert and specifying the PFX file as the
+# private_key.
+#private_key=/etc/hostapd.server.prv
+
+# Passphrase for private key
+#private_key_passwd=secret passphrase
+
+# Enable CRL verification.
+# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
+# valid CRL signed by the CA is required to be included in the ca_cert file.
+# This can be done by using PEM format for CA certificate and CRL and
+# concatenating these into one file. Whenever CRL changes, hostapd needs to be
+# restarted to take the new CRL into use.
+# 0 = do not verify CRLs (default)
+# 1 = check the CRL of the user certificate
+# 2 = check all CRLs in the certificate path
+#check_crl=1
+
+# dh_file: File path to DH/DSA parameters file (in PEM format)
+# This is an optional configuration file for setting parameters for an
+# ephemeral DH key exchange. In most cases, the default RSA authentication does
+# not use this configuration. However, it is possible setup RSA to use
+# ephemeral DH key exchange. In addition, ciphers with DSA keys always use
+# ephemeral DH keys. This can be used to achieve forward secrecy. If the file
+# is in DSA parameters format, it will be automatically converted into DH
+# params. This parameter is required if anonymous EAP-FAST is used.
+# You can generate DH parameters file with OpenSSL, e.g.,
+# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
+#dh_file=/etc/hostapd.dh.pem
+
+# Fragment size for EAP methods
+#fragment_size=1400
+
+# Configuration data for EAP-SIM database/authentication gateway interface.
+# This is a text string in implementation specific format. The example
+# implementation in eap_sim_db.c uses this as the UNIX domain socket name for
+# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
+# prefix.
+#eap_sim_db=unix:/tmp/hlr_auc_gw.sock
+
+# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
+# random value. It is configured as a 16-octet value in hex format. It can be
+# generated, e.g., with the following command:
+# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
+#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
+
+# EAP-FAST authority identity (A-ID)
+# A-ID indicates the identity of the authority that issues PACs. The A-ID
+# should be unique across all issuing servers. In theory, this is a variable
+# length field, but due to some existing implementations requiring A-ID to be
+# 16 octets in length, it is strongly recommended to use that length for the
+# field to provid interoperability with deployed peer implementations. This
+# field is configured in hex format.
+#eap_fast_a_id=101112131415161718191a1b1c1d1e1f
+
+# EAP-FAST authority identifier information (A-ID-Info)
+# This is a user-friendly name for the A-ID. For example, the enterprise name
+# and server name in a human-readable format. This field is encoded as UTF-8.
+#eap_fast_a_id_info=test server
+
+# Enable/disable different EAP-FAST provisioning modes:
+#0 = provisioning disabled
+#1 = only anonymous provisioning allowed
+#2 = only authenticated provisioning allowed
+#3 = both provisioning modes allowed (default)
+#eap_fast_prov=3
+
+# EAP-FAST PAC-Key lifetime in seconds (hard limit)
+#pac_key_lifetime=604800
+
+# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
+# limit). The server will generate a new PAC-Key when this number of seconds
+# (or fewer) of the lifetime remains.
+#pac_key_refresh_time=86400
+
+# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
+# (default: 0 = disabled).
+#eap_sim_aka_result_ind=1
+
+# Trusted Network Connect (TNC)
+# If enabled, TNC validation will be required before the peer is allowed to
+# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
+# EAP method is enabled, the peer will be allowed to connect without TNC.
+#tnc=1
+
+
+##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
+
+# Interface to be used for IAPP broadcast packets
+#iapp_interface=eth0
+
+
+##### RADIUS client configuration #############################################
+# for IEEE 802.1X with external Authentication Server, IEEE 802.11
+# authentication with external ACL for MAC addresses, and accounting
+
+# The own IP address of the access point (used as NAS-IP-Address)
+own_ip_addr=10.1.0.1
+
+# Optional NAS-Identifier string for RADIUS messages. When used, this should be
+# a unique to the NAS within the scope of the RADIUS server. For example, a
+# fully qualified domain name can be used here.
+# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and
+# 48 octets long.
+#nas_identifier=ap.example.com
+
+# RADIUS authentication server
+auth_server_addr=10.1.0.10
+#auth_server_port=1812
+auth_server_shared_secret=gv6URkSs
+
+# RADIUS accounting server
+#acct_server_addr=127.0.0.1
+#acct_server_port=1813
+#acct_server_shared_secret=secret
+
+# Secondary RADIUS servers; to be used if primary one does not reply to
+# RADIUS packets. These are optional and there can be more than one secondary
+# server listed.
+#auth_server_addr=127.0.0.2
+#auth_server_port=1812
+#auth_server_shared_secret=secret2
+#
+#acct_server_addr=127.0.0.2
+#acct_server_port=1813
+#acct_server_shared_secret=secret2
+
+# Retry interval for trying to return to the primary RADIUS server (in
+# seconds). RADIUS client code will automatically try to use the next server
+# when the current server is not replying to requests. If this interval is set,
+# primary server will be retried after configured amount of time even if the
+# currently used secondary server is still working.
+#radius_retry_primary_interval=600
+
+
+# Interim accounting update interval
+# If this is set (larger than 0) and acct_server is configured, hostapd will
+# send interim accounting updates every N seconds. Note: if set, this overrides
+# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
+# value should not be configured in hostapd.conf, if RADIUS server is used to
+# control the interim interval.
+# This value should not be less 600 (10 minutes) and must not be less than
+# 60 (1 minute).
+#radius_acct_interim_interval=600
+
+# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
+# is used for the stations. This information is parsed from following RADIUS
+# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
+# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
+# VLANID as a string). vlan_file option below must be configured if dynamic
+# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be
+# used to set static client MAC address to VLAN ID mapping.
+# 0 = disabled (default)
+# 1 = option; use default interface if RADIUS server does not include VLAN ID
+# 2 = required; reject authentication if RADIUS server does not include VLAN ID
+#dynamic_vlan=0
+
+# VLAN interface list for dynamic VLAN mode is read from a separate text file.
+# This list is used to map VLAN ID from the RADIUS server to a network
+# interface. Each station is bound to one interface in the same way as with
+# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
+# interface and the line must include VLAN ID and interface name separated by
+# white space (space or tab).
+#vlan_file=/etc/hostapd.vlan
+
+# Interface where 802.1q tagged packets should appear when a RADIUS server is
+# used to determine which VLAN a station is on. hostapd creates a bridge for
+# each VLAN. Then hostapd adds a VLAN interface (associated with the interface
+# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
+# to the bridge.
+#vlan_tagged_interface=eth0
+
+
+##### RADIUS authentication server configuration ##############################
+
+# hostapd can be used as a RADIUS authentication server for other hosts. This
+# requires that the integrated EAP server is also enabled and both
+# authentication services are sharing the same configuration.
+
+# File name of the RADIUS clients configuration for the RADIUS server. If this
+# commented out, RADIUS server is disabled.
+#radius_server_clients=/etc/hostapd.radius_clients
+
+# The UDP port number for the RADIUS authentication server
+#radius_server_auth_port=1812
+
+# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
+#radius_server_ipv6=1
+
+
+##### WPA/IEEE 802.11i configuration ##########################################
+
+# Enable WPA. Setting this variable configures the AP to require WPA (either
+# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
+# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
+# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
+# RADIUS authentication server must be configured, and WPA-EAP must be included
+# in wpa_key_mgmt.
+# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
+# and/or WPA2 (full IEEE 802.11i/RSN):
+# bit0 = WPA
+# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
+#wpa=1
+
+# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
+# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
+# (8..63 characters) that will be converted to PSK. This conversion uses SSID
+# so the PSK changes when ASCII passphrase is used and the SSID is changed.
+# wpa_psk (dot11RSNAConfigPSKValue)
+# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
+#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+#wpa_passphrase=secret passphrase
+
+# Optionally, WPA PSKs can be read from a separate text file (containing list
+# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
+# Use absolute path name to make sure that the files can be read on SIGHUP
+# configuration reloads.
+#wpa_psk_file=/etc/hostapd.wpa_psk
+
+# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
+# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
+# added to enable SHA256-based stronger algorithms.
+# (dot11RSNAConfigAuthenticationSuitesTable)
+#wpa_key_mgmt=WPA-PSK WPA-EAP
+
+# Set of accepted cipher suites (encryption algorithms) for pairwise keys
+# (unicast packets). This is a space separated list of algorithms:
+# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
+# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
+# Group cipher suite (encryption algorithm for broadcast and multicast frames)
+# is automatically selected based on this configuration. If only CCMP is
+# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
+# TKIP will be used as the group cipher.
+# (dot11RSNAConfigPairwiseCiphersTable)
+# Pairwise cipher for WPA (v1) (default: TKIP)
+#wpa_pairwise=TKIP CCMP
+# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
+#rsn_pairwise=CCMP
+
+# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
+# seconds. (dot11RSNAConfigGroupRekeyTime)
+#wpa_group_rekey=600
+
+# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
+# (dot11RSNAConfigGroupRekeyStrict)
+#wpa_strict_rekey=1
+
+# Time interval for rekeying GMK (master key used internally to generate GTKs
+# (in seconds).
+#wpa_gmk_rekey=86400
+
+# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
+# PTK to mitigate some attacks against TKIP deficiencies.
+#wpa_ptk_rekey=600
+
+# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
+# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
+# authentication and key handshake before actually associating with a new AP.
+# (dot11RSNAPreauthenticationEnabled)
+#rsn_preauth=1
+#
+# Space separated list of interfaces from which pre-authentication frames are
+# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
+# interface that are used for connections to other APs. This could include
+# wired interfaces and WDS links. The normal wireless data interface towards
+# associated stations (e.g., wlan0) should not be added, since
+# pre-authentication is only used with APs other than the currently associated
+# one.
+#rsn_preauth_interfaces=eth0
+
+# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
+# allowed. This is only used with RSN/WPA2.
+# 0 = disabled (default)
+# 1 = enabled
+#peerkey=1
+
+# ieee80211w: Whether management frame protection (MFP) is enabled
+# 0 = disabled (default)
+# 1 = optional
+# 2 = required
+#ieee80211w=0
+
+# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
+# (maximum time to wait for a SA Query response)
+# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
+#assoc_sa_query_max_timeout=1000
+
+# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
+# (time between two subsequent SA Query requests)
+# dot11AssociationSAQueryRetryTimeout, 1...4294967295
+#assoc_sa_query_retry_timeout=201
+
+# disable_pmksa_caching: Disable PMKSA caching
+# This parameter can be used to disable caching of PMKSA created through EAP
+# authentication. RSN preauthentication may still end up using PMKSA caching if
+# it is enabled (rsn_preauth=1).
+# 0 = PMKSA caching enabled (default)
+# 1 = PMKSA caching disabled
+#disable_pmksa_caching=0
+
+# okc: Opportunistic Key Caching (aka Proactive Key Caching)
+# Allow PMK cache to be shared opportunistically among configured interfaces
+# and BSSes (i.e., all configurations within a single hostapd process).
+# 0 = disabled (default)
+# 1 = enabled
+#okc=1
+
+
+##### IEEE 802.11r configuration ##############################################
+
+# Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
+# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the
+# same SSID) between which a STA can use Fast BSS Transition.
+# 2-octet identifier as a hex string.
+#mobility_domain=a1b2
+
+# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
+# 1 to 48 octet identifier.
+# This is configured with nas_identifier (see RADIUS client section above).
+
+# Default lifetime of the PMK-RO in minutes; range 1..65535
+# (dot11FTR0KeyLifetime)
+#r0_key_lifetime=10000
+
+# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
+# 6-octet identifier as a hex string.
+#r1_key_holder=000102030405
+
+# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
+# (dot11FTReassociationDeadline)
+#reassociation_deadline=1000
+
+# List of R0KHs in the same Mobility Domain
+# format: <MAC address> <NAS Identifier> <128-bit key as hex string>
+# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
+# address when requesting PMK-R1 key from the R0KH that the STA used during the
+# Initial Mobility Domain Association.
+#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f
+#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff
+# And so on.. One line per R0KH.
+
+# List of R1KHs in the same Mobility Domain
+# format: <MAC address> <R1KH-ID> <128-bit key as hex string>
+# This list is used to map R1KH-ID to a destination MAC address when sending
+# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
+# that can request PMK-R1 keys.
+#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f
+#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff
+# And so on.. One line per R1KH.
+
+# Whether PMK-R1 push is enabled at R0KH
+# 0 = do not push PMK-R1 to all configured R1KHs (default)
+# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
+#pmk_r1_push=1
+
+##### Neighbor table ##########################################################
+# Maximum number of entries kept in AP table (either for neigbor table or for
+# detecting Overlapping Legacy BSS Condition). The oldest entry will be
+# removed when adding a new entry that would make the list grow over this
+# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is
+# enabled, so this field should not be set to 0 when using IEEE 802.11g.
+# default: 255
+#ap_table_max_size=255
+
+# Number of seconds of no frames received after which entries may be deleted
+# from the AP table. Since passive scanning is not usually performed frequently
+# this should not be set to very small value. In addition, there is no
+# guarantee that every scan cycle will receive beacon frames from the
+# neighboring APs.
+# default: 60
+#ap_table_expiration_time=3600
+
+
+##### Wi-Fi Protected Setup (WPS) #############################################
+
+# WPS state
+# 0 = WPS disabled (default)
+# 1 = WPS enabled, not configured
+# 2 = WPS enabled, configured
+#wps_state=2
+
+# AP can be configured into a locked state where new WPS Registrar are not
+# accepted, but previously authorized Registrars (including the internal one)
+# can continue to add new Enrollees.
+#ap_setup_locked=1
+
+# Universally Unique IDentifier (UUID; see RFC 4122) of the device
+# This value is used as the UUID for the internal WPS Registrar. If the AP
+# is also using UPnP, this value should be set to the device's UPnP UUID.
+# If not configured, UUID will be generated based on the local MAC address.
+#uuid=12345678-9abc-def0-1234-56789abcdef0
+
+# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
+# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
+# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
+# per-device PSKs is recommended as the more secure option (i.e., make sure to
+# set wpa_psk_file when using WPS with WPA-PSK).
+
+# When an Enrollee requests access to the network with PIN method, the Enrollee
+# PIN will need to be entered for the Registrar. PIN request notifications are
+# sent to hostapd ctrl_iface monitor. In addition, they can be written to a
+# text file that could be used, e.g., to populate the AP administration UI with
+# pending PIN requests. If the following variable is set, the PIN requests will
+# be written to the configured file.
+#wps_pin_requests=/var/run/hostapd_wps_pin_requests
+
+# Device Name
+# User-friendly description of device; up to 32 octets encoded in UTF-8
+#device_name=Wireless AP
+
+# Manufacturer
+# The manufacturer of the device (up to 64 ASCII characters)
+#manufacturer=Company
+
+# Model Name
+# Model of the device (up to 32 ASCII characters)
+#model_name=WAP
+
+# Model Number
+# Additional device description (up to 32 ASCII characters)
+#model_number=123
+
+# Serial Number
+# Serial number of the device (up to 32 characters)
+#serial_number=12345
+
+# Primary Device Type
+# Used format: <categ>-<OUI>-<subcateg>
+# categ = Category as an integer value
+# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
+# default WPS OUI
+# subcateg = OUI-specific Sub Category as an integer value
+# Examples:
+# 1-0050F204-1 (Computer / PC)
+# 1-0050F204-2 (Computer / Server)
+# 5-0050F204-1 (Storage / NAS)
+# 6-0050F204-1 (Network Infrastructure / AP)
+#device_type=6-0050F204-1
+
+# OS Version
+# 4-octet operating system version number (hex string)
+#os_version=01020300
+
+# Config Methods
+# List of the supported configuration methods
+# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
+# nfc_interface push_button keypad virtual_display physical_display
+# virtual_push_button physical_push_button
+#config_methods=label virtual_display virtual_push_button keypad
+
+# WPS capability discovery workaround for PBC with Windows 7
+# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting
+# as a Registrar and using M1 from the AP. The config methods attribute in that
+# message is supposed to indicate only the configuration method supported by
+# the AP in Enrollee role, i.e., to add an external Registrar. For that case,
+# PBC shall not be used and as such, the PushButton config method is removed
+# from M1 by default. If pbc_in_m1=1 is included in the configuration file,
+# the PushButton config method is left in M1 (if included in config_methods
+# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label
+# in the AP).
+#pbc_in_m1=1
+
+# Static access point PIN for initial configuration and adding Registrars
+# If not set, hostapd will not allow external WPS Registrars to control the
+# access point. The AP PIN can also be set at runtime with hostapd_cli
+# wps_ap_pin command. Use of temporary (enabled by user action) and random
+# AP PIN is much more secure than configuring a static AP PIN here. As such,
+# use of the ap_pin parameter is not recommended if the AP device has means for
+# displaying a random PIN.
+#ap_pin=12345670
+
+# Skip building of automatic WPS credential
+# This can be used to allow the automatically generated Credential attribute to
+# be replaced with pre-configured Credential(s).
+#skip_cred_build=1
+
+# Additional Credential attribute(s)
+# This option can be used to add pre-configured Credential attributes into M8
+# message when acting as a Registrar. If skip_cred_build=1, this data will also
+# be able to override the Credential attribute that would have otherwise been
+# automatically generated based on network configuration. This configuration
+# option points to an external file that much contain the WPS Credential
+# attribute(s) as binary data.
+#extra_cred=hostapd.cred
+
+# Credential processing
+# 0 = process received credentials internally (default)
+# 1 = do not process received credentials; just pass them over ctrl_iface to
+# external program(s)
+# 2 = process received credentials internally and pass them over ctrl_iface
+# to external program(s)
+# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and
+# extra_cred be used to provide the Credential data for Enrollees.
+#
+# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file
+# both for Credential processing and for marking AP Setup Locked based on
+# validation failures of AP PIN. An external program is responsible on updating
+# the configuration appropriately in this case.
+#wps_cred_processing=0
+
+# AP Settings Attributes for M7
+# By default, hostapd generates the AP Settings Attributes for M7 based on the
+# current configuration. It is possible to override this by providing a file
+# with pre-configured attributes. This is similar to extra_cred file format,
+# but the AP Settings attributes are not encapsulated in a Credential
+# attribute.
+#ap_settings=hostapd.ap_settings
+
+# WPS UPnP interface
+# If set, support for external Registrars is enabled.
+#upnp_iface=br0
+
+# Friendly Name (required for UPnP)
+# Short description for end use. Should be less than 64 characters.
+#friendly_name=WPS Access Point
+
+# Manufacturer URL (optional for UPnP)
+#manufacturer_url=http://www.example.com/
+
+# Model Description (recommended for UPnP)
+# Long description for end user. Should be less than 128 characters.
+#model_description=Wireless Access Point
+
+# Model URL (optional for UPnP)
+#model_url=http://www.example.com/model/
+
+# Universal Product Code (optional for UPnP)
+# 12-digit, all-numeric code that identifies the consumer package.
+#upc=123456789012
+
+##### Wi-Fi Direct (P2P) ######################################################
+
+# Enable P2P Device management
+#manage_p2p=1
+
+# Allow cross connection
+#allow_cross_connection=1
+
+#### TDLS (IEEE 802.11z-2010) #################################################
+
+# Prohibit use of TDLS in this BSS
+#tdls_prohibit=1
+
+# Prohibit use of TDLS Channel Switching in this BSS
+#tdls_prohibit_chan_switch=1
+
+##### IEEE 802.11v-2011 #######################################################
+
+# Time advertisement
+# 0 = disabled (default)
+# 2 = UTC time at which the TSF timer is 0
+#time_advertisement=2
+
+# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
+# stdoffset[dst[offset][,start[/time],end[/time]]]
+#time_zone=EST5
+
+##### IEEE 802.11u-2011 #######################################################
+
+# Enable Interworking service
+#interworking=1
+
+# Access Network Type
+# 0 = Private network
+# 1 = Private network with guest access
+# 2 = Chargeable public network
+# 3 = Free public network
+# 4 = Personal device network
+# 5 = Emergency services only network
+# 14 = Test or experimental
+# 15 = Wildcard
+#access_network_type=0
+
+# Whether the network provides connectivity to the Internet
+# 0 = Unspecified
+# 1 = Network provides connectivity to the Internet
+#internet=1
+
+# Additional Step Required for Access
+# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if
+# RSN is used.
+#asra=0
+
+# Emergency services reachable
+#esr=0
+
+# Unauthenticated emergency service accessible
+#uesa=0
+
+# Venue Info (optional)
+# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
+# Example values (group,type):
+# 0,0 = Unspecified
+# 1,7 = Convention Center
+# 1,13 = Coffee Shop
+# 2,0 = Unspecified Business
+# 7,1 Private Residence
+#venue_group=7
+#venue_type=1
+
+# Homogeneous ESS identifier (optional; dot11HESSID)
+# If set, this shall be identifical to one of the BSSIDs in the homogeneous
+# ESS and this shall be set to the same value across all BSSs in homogeneous
+# ESS.
+#hessid=02:03:04:05:06:07
+
+# Roaming Consortium List
+# Arbitrary number of Roaming Consortium OIs can be configured with each line
+# adding a new OI to the list. The first three entries are available through
+# Beacon and Probe Response frames. Any additional entry will be available only
+# through ANQP queries. Each OI is between 3 and 15 octets and is configured a
+# a hexstring.
+#roaming_consortium=021122
+#roaming_consortium=2233445566
+
+##### Multiple BSSID support ##################################################
+#
+# Above configuration is using the default interface (wlan#, or multi-SSID VLAN
+# interfaces). Other BSSIDs can be added by using separator 'bss' with
+# default interface name to be allocated for the data packets of the new BSS.
+#
+# hostapd will generate BSSID mask based on the BSSIDs that are
+# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
+# not the case, the MAC address of the radio must be changed before starting
+# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for
+# every secondary BSS, this limitation is not applied at hostapd and other
+# masks may be used if the driver supports them (e.g., swap the locally
+# administered bit)
+#
+# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
+# specified using the 'bssid' parameter.
+# If an explicit BSSID is specified, it must be chosen such that it:
+# - results in a valid MASK that covers it and the dev_addr
+# - is not the same as the MAC address of the radio
+# - is not the same as any other explicitly specified BSSID
+#
+# Please note that hostapd uses some of the values configured for the first BSS
+# as the defaults for the following BSSes. However, it is recommended that all
+# BSSes include explicit configuration of all relevant configuration items.
+#
+#bss=wlan0_0
+#ssid=test2
+# most of the above items can be used here (apart from radio interface specific
+# items, like channel)
+
+#bss=wlan0_1
+#bssid=00:13:10:95:fe:0b
+# ...
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..294964fe7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=pubkey
+ leftfirewall=yes
+ rightauth=eap-radius
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..390c42ccf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ filter_id = yes
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
new file mode 100644
index 000000000..b55e0457c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
@@ -0,0 +1,5 @@
+carol::killall wpa_supplicant
+dave::killall wpa_supplicant
+moon::killall hostapd
+alice::killall radiusd
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
new file mode 100644
index 000000000..ac03fedbb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
@@ -0,0 +1,11 @@
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::hostapd -B /etc/hostapd/hostapd.conf
+carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
+carol::sleep 4
+dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
+dave::sleep 4
diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf
new file mode 100644
index 000000000..f23a19329
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
index f660a0b63..941113434 100644
--- a/testing/tests/tnc/tnccs-20-os/description.txt
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -10,7 +10,7 @@ exchange PA-TNC attributes.
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
<em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em>
-and <em>Device ID> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an
+and <em>Device ID</em> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an
<em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is then prompted to send a list of
installed packages using the <em>Installed Packages</em> PA-TNC attribute. Since <b>dave</b>
successfully connected to the VPN gateway shortly before, no new list of installed packages is
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index 0d3f55b45..21a7278d7 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
deleted file mode 100644
index d17aac15e..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
+++ /dev/null
@@ -1,892 +0,0 @@
-/* Products */
-
-INSERT INTO products ( /* 1 */
- name
-) VALUES (
- 'Debian 6.0 i686'
-);
-
-INSERT INTO products ( /* 2 */
- name
-) VALUES (
- 'Debian 6.0 x86_64'
-);
-
-INSERT INTO products ( /* 3 */
- name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products ( /* 4 */
- name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products ( /* 5 */
- name
-) VALUES (
- 'Debian 8.0 i686'
-);
-
-INSERT INTO products ( /* 6 */
- name
-) VALUES (
- 'Debian 8.0 x86_64'
-);
-
-INSERT INTO products ( /* 7 */
- name
-) VALUES (
- 'Ubuntu 10.04 i686'
-);
-
-INSERT INTO products ( /* 8 */
- name
-) VALUES (
- 'Ubuntu 10.04 x86_64'
-);
-
-INSERT INTO products ( /* 9 */
- name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products ( /* 10 */
- name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products ( /* 11 */
- name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products ( /* 12 */
- name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products ( /* 13 */
- name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products ( /* 14 */
- name
-) VALUES (
- 'Ubuntu 11.10 x86_64'
-);
-
-INSERT INTO products ( /* 15 */
- name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products ( /* 16 */
- name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products ( /* 17 */
- name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products ( /* 18 */
- name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO products ( /* 19 */
- name
-) VALUES (
- 'Ubuntu 13.04 i686'
-);
-
-INSERT INTO products ( /* 20 */
- name
-) VALUES (
- 'Ubuntu 13.04 x86_64'
-);
-
-INSERT INTO products ( /* 21 */
- name
-) VALUES (
- 'Android 4.1.1'
-);
-
-INSERT INTO products ( /* 22 */
- name
-) VALUES (
- 'Android 4.2.1'
-);
-
-/* Directories */
-
-INSERT INTO directories ( /* 1 */
- path
-) VALUES (
- '/bin'
-);
-
-INSERT INTO directories ( /* 2 */
- path
-) VALUES (
- '/etc'
-);
-
-INSERT INTO directories ( /* 3 */
- path
-) VALUES (
- '/lib'
-);
-
-INSERT INTO directories ( /* 4 */
- path
-) VALUES (
- '/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 5 */
- path
-) VALUES (
- '/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 6 */
- path
-) VALUES (
- '/lib/xtables'
-);
-
-INSERT INTO directories ( /* 7 */
- path
-) VALUES (
- '/sbin'
-);
-
-INSERT INTO directories ( /* 8 */
- path
-) VALUES (
- '/usr/bin'
-);
-
-INSERT INTO directories ( /* 9 */
- path
-) VALUES (
- '/usr/lib'
-);
-
-INSERT INTO directories ( /* 10 */
- path
-) VALUES (
- '/usr/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 11 */
- path
-) VALUES (
- '/usr/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 12 */
- path
-) VALUES (
- '/usr/sbin'
-);
-
-INSERT INTO directories ( /* 13 */
- path
-) VALUES (
- '/system/bin'
-);
-
-INSERT INTO directories ( /* 14 */
- path
-) VALUES (
- '/system/lib'
-);
-
-/* Files */
-
-INSERT INTO files ( /* 1 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 2 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 3 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 4 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 5 */
- name, dir
-) VALUES (
- 'openssl', 8
-);
-
-INSERT INTO files ( /* 6 */
- name, dir
-) VALUES (
- 'tnc_config', 2
-);
-
-/* Algorithms */
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 65536, 'SHA1-IMA'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 32768, 'SHA1'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 16384, 'SHA256'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 8192, 'SHA384'
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
-);
-
-/* Packages */
-
-INSERT INTO packages ( /* 1 */
- name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages ( /* 2 */
- name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages ( /* 3 */
- name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages ( /* 4 */
- name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 1, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 2, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 3, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 4, 4, '1.0.1e-2', 1366531494
-);
-
-/* Components */
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 1, 33 /* ITA TGRUB */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 2, 33 /* ITA TBOOT */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 33 /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 34 /* ITA IMA - Operating System */
-);
-
-/* Groups */
-
-INSERT INTO groups ( /* 1 */
- name
-) VALUES (
- 'Default'
-);
-
-INSERT INTO groups ( /* 2 */
- name, parent
-) VALUES (
- 'Linux', 1
-);
-
-INSERT INTO groups ( /* 3 */
- name, parent
-) VALUES (
- 'Android', 1
-);
-
-INSERT INTO groups ( /* 4 */
- name, parent
-) VALUES (
- 'Debian i686', 2
-);
-
-INSERT INTO groups ( /* 5 */
- name, parent
-) VALUES (
- 'Debian x86_64', 2
-);
-
-INSERT INTO groups ( /* 6 */
- name, parent
-) VALUES (
- 'Ubuntu i686', 2
-);
-
-INSERT INTO groups ( /* 7 */
- name, parent
-) VALUES (
- 'Ubuntu x86_64', 2
-);
-
-INSERT INTO groups ( /* 8 */
- name
-) VALUES (
- 'Reference'
-);
-
-INSERT INTO groups ( /* 9 */
- name, parent
-) VALUES (
- 'Ref. Android', 8
-);
-
-INSERT INTO groups ( /* 10 */
- name, parent
-) VALUES (
- 'Ref. Linux', 8
-);
-
-/* Default Product Groups */
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 1
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 3
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 5
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 2
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 4
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 6
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 7
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 9
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 11
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 13
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 15
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 17
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 19
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 8
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 10
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 12
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 14
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 16
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 18
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 20
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 21
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 22
-);
-
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-) VALUES (
- 'aabbccddeeff11223344556677889900', 4, 1372330615
-);
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 5, 1
-);
-
-/* Identities */
-
-INSERT INTO identities (
- type, value
-) VALUES ( /* dave@strongswan.org */
- 4, X'64617665407374726f6e677377616e2e6f7267'
-);
-
-/* Sessions */
-
-INSERT INTO sessions (
- time, connection, identity, device, product, rec
-) VALUES (
- NOW, 1, 1, 1, 4, 0
-);
-
-/* Results */
-
-INSERT INTO results (
- session, policy, rec, result
-) VALUES (
- 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
-);
-
-/* Policies */
-
-INSERT INTO policies ( /* 1 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 1, 'Installed Packages', 2, 2
-);
-
-INSERT INTO policies ( /* 2 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 2, 'Unknown Source', 2, 2
-);
-
-INSERT INTO policies ( /* 3 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 3, 'IP Forwarding Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 4 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 4, 'Default Factory Password Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 5 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
-);
-
-INSERT INTO policies ( /* 6 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
-);
-
-INSERT INTO policies ( /* 7 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/bin/openssl', 5, 2, 2
-);
-
-INSERT INTO policies ( /* 8 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 11, 'No Open TCP Ports', 1, 1
-);
-
-INSERT INTO policies ( /* 9 */
- type, name, argument, rec_fail, rec_noresult
-) VALUES (
- 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
-);
-
-INSERT INTO policies ( /* 10 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 7, 'Metadata of /etc/tnc_config', 6, 0, 0
-);
-
-INSERT INTO policies ( /* 11 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /bin', 1, 0, 0
-);
-
-INSERT INTO policies ( /* 12 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
-);
-
-INSERT INTO policies ( /* 13 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
-);
-
-INSERT INTO policies ( /* 14 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/bin', 13, 0, 0
-);
-
-INSERT INTO policies ( /* 15 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/lib', 14, 0, 0
-);
-
-INSERT INTO policies ( /* 16 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 9, 'Measure /bin', 1, 2, 2
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 1, 1, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 2, 3, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 2, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 5, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 6, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 7, 2, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 8, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 9, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 10, 2, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 11, 10, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 12, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 13, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 14, 9, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 15, 9, 0
-);
-
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql
new file mode 100644
index 000000000..6682a5a1c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql
@@ -0,0 +1,45 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 5, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+ type, value
+) VALUES ( /* dave@strongswan.org */
+ 4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+ time, connection, identity, device, product, rec
+) VALUES (
+ NOW, 1, 1, 1, 28, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+ session, policy, rec, result
+) VALUES (
+ 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+UPDATE enforcements SET
+ rec_fail = 2, rec_noresult = 2
+WHERE id = 3;
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index 333ac7462..e1434e481 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -3,7 +3,8 @@ carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
@@ -14,6 +15,6 @@ carol::sleep 1
carol::ipsec up home
dave::ipsec up home
dave::sleep 1
-moon::ipsec attest --packages --product 'Debian 7.0 x86_64'
+moon::ipsec attest --packages --product 'Debian 7.2 x86_64'
moon::ipsec attest --sessions
moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index f028ec609..505a4d079 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -1,8 +1,10 @@
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
index 70da7766a..ec4956c31 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
@@ -13,7 +13,9 @@ charon {
}
tnc-pdp {
server = aaa.strongswan.org
- secret = gv6URkSs
+ radius {
+ secret = gv6URkSs
+ }
}
}
}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pt-tls/description.txt
new file mode 100644
index 000000000..45a77e900
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/description.txt
@@ -0,0 +1,9 @@
+The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
+point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
+<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
+<b>TLS setup phase</b>.
+<p/>
+During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
+loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
+embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
+a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat
new file mode 100644
index 000000000..3139ca082
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat
@@ -0,0 +1,12 @@
+alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES
+alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES
+alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice:: cat /var/log/daemon.log::certificate status is good::YES
+alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..d8b84334a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tls 2, tnc 3, imv 3"
+
+conn aaa
+ leftcert=aaaCert.pem
+ leftid=aaa.strongswan.org
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644
index 000000000..da8cdb051
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..11d45cd14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol : EAP "Ar3etTnp"
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..5b275392b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS
+-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql
new file mode 100644
index 000000000..71592211b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+ type, value
+) VALUES ( /* dave@strongswan.org */
+ 4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+ time, connection, identity, device, product, rec
+) VALUES (
+ NOW, 1, 1, 1, 28, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+ session, policy, rec, result
+) VALUES (
+ 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 17, 2, 86400
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..21961d4b1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+ plugins {
+ tnc-pdp {
+ server = aaa.strongswan.org
+ radius {
+ secret = gv6URkSs
+ }
+ }
+ }
+}
+
+libtnccs {
+ plugins {
+ tnccs-20 {
+ max_batch_size = 131056
+ max_message_size = 131024
+ }
+ }
+}
+
+libimcv {
+ database = sqlite:///etc/pts/config.db
+ policy_script = ipsec imv_policy_manager
+}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..ebe88bc99
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..4a41e7ed9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..d2f6378b8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS
+-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options
new file mode 100644
index 000000000..f04e9472a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options
@@ -0,0 +1,5 @@
+--connect aaa.strongswan.org
+--client carol
+--secret "Ar3etTnp"
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..de2fea244
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = yes
+ }
+ imc-swid {
+ #swid_directory = /usr/share
+ }
+ }
+}
+
+libtnccs {
+ plugins {
+ tnccs-20 {
+ max_batch_size = 131056
+ max_message_size = 131024
+ }
+ }
+}
+
+pt-tls-client {
+ load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..f40174e57
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..4a41e7ed9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d2f6378b8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS
+-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options
new file mode 100644
index 000000000..46821ec73
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options
@@ -0,0 +1,6 @@
+--connect aaa.strongswan.org
+--client dave@strongswan.org
+--key /etc/ipsec.d/private/daveKey.pem
+--cert /etc/ipsec.d/certs/daveCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..39b2577ae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = no
+ }
+ }
+}
+
+libtnccs {
+ plugins {
+ tnccs-20 {
+ max_batch_size = 131056
+ max_message_size = 131024
+ }
+ }
+}
+
+pt-tls-client {
+ load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..f40174e57
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat
new file mode 100644
index 000000000..c98df8671
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat
@@ -0,0 +1,8 @@
+carol::ip route del 10.1.0.0/16 via 192.168.0.1
+dave::ip route del 10.1.0.0/16 via 192.168.0.1
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+alice::ipsec stop
+alice::rm /etc/pts/config.db
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
new file mode 100644
index 000000000..2a53977c0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
@@ -0,0 +1,19 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+dave::cat /etc/tnc_config
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql
+alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
+alice::ipsec start
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+dave::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::cat /etc/pts/options
+dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pt-tls/test.conf
new file mode 100644
index 000000000..0887e4d09
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pt-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
index 100754332..5eb944055 100644
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
deleted file mode 100644
index 090eb47ff..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
+++ /dev/null
@@ -1,873 +0,0 @@
-/* Products */
-
-INSERT INTO products ( /* 1 */
- name
-) VALUES (
- 'Debian 6.0 i686'
-);
-
-INSERT INTO products ( /* 2 */
- name
-) VALUES (
- 'Debian 6.0 x86_64'
-);
-
-INSERT INTO products ( /* 3 */
- name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products ( /* 4 */
- name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products ( /* 5 */
- name
-) VALUES (
- 'Debian 8.0 i686'
-);
-
-INSERT INTO products ( /* 6 */
- name
-) VALUES (
- 'Debian 8.0 x86_64'
-);
-
-INSERT INTO products ( /* 7 */
- name
-) VALUES (
- 'Ubuntu 10.04 i686'
-);
-
-INSERT INTO products ( /* 8 */
- name
-) VALUES (
- 'Ubuntu 10.04 x86_64'
-);
-
-INSERT INTO products ( /* 9 */
- name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products ( /* 10 */
- name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products ( /* 11 */
- name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products ( /* 12 */
- name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products ( /* 13 */
- name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products ( /* 14 */
- name
-) VALUES (
- 'Ubuntu 11.10 x86_64'
-);
-
-INSERT INTO products ( /* 15 */
- name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products ( /* 16 */
- name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products ( /* 17 */
- name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products ( /* 18 */
- name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO products ( /* 19 */
- name
-) VALUES (
- 'Ubuntu 13.04 i686'
-);
-
-INSERT INTO products ( /* 20 */
- name
-) VALUES (
- 'Ubuntu 13.04 x86_64'
-);
-
-INSERT INTO products ( /* 21 */
- name
-) VALUES (
- 'Android 4.1.1'
-);
-
-INSERT INTO products ( /* 22 */
- name
-) VALUES (
- 'Android 4.2.1'
-);
-
-/* Directories */
-
-INSERT INTO directories ( /* 1 */
- path
-) VALUES (
- '/bin'
-);
-
-INSERT INTO directories ( /* 2 */
- path
-) VALUES (
- '/etc'
-);
-
-INSERT INTO directories ( /* 3 */
- path
-) VALUES (
- '/lib'
-);
-
-INSERT INTO directories ( /* 4 */
- path
-) VALUES (
- '/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 5 */
- path
-) VALUES (
- '/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 6 */
- path
-) VALUES (
- '/lib/xtables'
-);
-
-INSERT INTO directories ( /* 7 */
- path
-) VALUES (
- '/sbin'
-);
-
-INSERT INTO directories ( /* 8 */
- path
-) VALUES (
- '/usr/bin'
-);
-
-INSERT INTO directories ( /* 9 */
- path
-) VALUES (
- '/usr/lib'
-);
-
-INSERT INTO directories ( /* 10 */
- path
-) VALUES (
- '/usr/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 11 */
- path
-) VALUES (
- '/usr/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 12 */
- path
-) VALUES (
- '/usr/sbin'
-);
-
-INSERT INTO directories ( /* 13 */
- path
-) VALUES (
- '/system/bin'
-);
-
-INSERT INTO directories ( /* 14 */
- path
-) VALUES (
- '/system/lib'
-);
-
-/* Files */
-
-INSERT INTO files ( /* 1 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 2 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 3 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 4 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 5 */
- name, dir
-) VALUES (
- 'openssl', 8
-);
-
-INSERT INTO files ( /* 6 */
- name, dir
-) VALUES (
- 'tnc_config', 2
-);
-
-/* Algorithms */
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 65536, 'SHA1-IMA'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 32768, 'SHA1'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 16384, 'SHA256'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 8192, 'SHA384'
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
-);
-
-/* Packages */
-
-INSERT INTO packages ( /* 1 */
- name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages ( /* 2 */
- name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages ( /* 3 */
- name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages ( /* 4 */
- name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 1, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 2, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 3, 4, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 4, 4, '1.0.1e-2', 1366531494
-);
-
-/* Components */
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 1, 33 /* ITA TGRUB */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 2, 33 /* ITA TBOOT */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 33 /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 34 /* ITA IMA - Operating System */
-);
-
-/* Groups */
-
-INSERT INTO groups ( /* 1 */
- name
-) VALUES (
- 'Default'
-);
-
-INSERT INTO groups ( /* 2 */
- name, parent
-) VALUES (
- 'Linux', 1
-);
-
-INSERT INTO groups ( /* 3 */
- name, parent
-) VALUES (
- 'Android', 1
-);
-
-INSERT INTO groups ( /* 4 */
- name, parent
-) VALUES (
- 'Debian i686', 2
-);
-
-INSERT INTO groups ( /* 5 */
- name, parent
-) VALUES (
- 'Debian x86_64', 2
-);
-
-INSERT INTO groups ( /* 6 */
- name, parent
-) VALUES (
- 'Ubuntu i686', 2
-);
-
-INSERT INTO groups ( /* 7 */
- name, parent
-) VALUES (
- 'Ubuntu x86_64', 2
-);
-
-INSERT INTO groups ( /* 8 */
- name
-) VALUES (
- 'Reference'
-);
-
-INSERT INTO groups ( /* 9 */
- name, parent
-) VALUES (
- 'Ref. Android', 8
-);
-
-INSERT INTO groups ( /* 10 */
- name, parent
-) VALUES (
- 'Ref. Linux', 8
-);
-
-/* Default Product Groups */
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 1
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 3
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 5
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 2
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 4
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 6
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 7
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 9
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 11
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 13
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 15
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 17
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 6, 19
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 8
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 10
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 12
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 14
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 16
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 18
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 7, 20
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 21
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 22
-);
-
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-) VALUES (
- 'aabbccddeeff11223344556677889900', 4, 1372330615
-);
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 10, 1
-);
-
-/* Policies */
-
-INSERT INTO policies ( /* 1 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 1, 'Installed Packages', 2, 2
-);
-
-INSERT INTO policies ( /* 2 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 2, 'Unknown Source', 2, 2
-);
-
-INSERT INTO policies ( /* 3 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 3, 'IP Forwarding Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 4 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 4, 'Default Factory Password Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 5 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
-);
-
-INSERT INTO policies ( /* 6 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
-);
-
-INSERT INTO policies ( /* 7 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/bin/openssl', 5, 2, 2
-);
-
-INSERT INTO policies ( /* 8 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 11, 'No Open TCP Ports', 1, 1
-);
-
-INSERT INTO policies ( /* 9 */
- type, name, argument, rec_fail, rec_noresult
-) VALUES (
- 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
-);
-
-INSERT INTO policies ( /* 10 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 7, 'Metadata of /etc/tnc_config', 6, 0, 0
-);
-
-INSERT INTO policies ( /* 11 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /bin', 1, 0, 0
-);
-
-INSERT INTO policies ( /* 12 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
-);
-
-INSERT INTO policies ( /* 13 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
-);
-
-INSERT INTO policies ( /* 14 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/bin', 13, 0, 0
-);
-
-INSERT INTO policies ( /* 15 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Get /system/lib', 14, 0, 0
-);
-
-INSERT INTO policies ( /* 16 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 9, 'Measure /bin', 1, 2, 2
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 2, 3, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 2, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 5, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 6, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 7, 2, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 8, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 9, 1, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 10, 2, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 11, 10, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 12, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 13, 5, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 14, 9, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 15, 9, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 16, 2, 0
-);
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
new file mode 100644
index 000000000..2bb7e7924
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
index cb6c131ef..794aef9fb 100644
--- a/testing/tests/tnc/tnccs-20-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -3,7 +3,7 @@ carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
deleted file mode 100644
index dcc4e75d1..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
+++ /dev/null
@@ -1,793 +0,0 @@
-/* Products */
-
-INSERT INTO products ( /* 1 */
- name
-) VALUES (
- 'Debian 7.0'
-);
-
-INSERT INTO products ( /* 2 */
- name
-) VALUES (
- 'Debian 7.0 i686'
-);
-
-INSERT INTO products ( /* 3 */
- name
-) VALUES (
- 'Debian 7.0 x86_64'
-);
-
-INSERT INTO products ( /* 4 */
- name
-) VALUES (
- 'Ubuntu 10.04'
-);
-
-INSERT INTO products ( /* 5 */
- name
-) VALUES (
- 'Ubuntu 10.04 i686'
-);
-
-INSERT INTO products ( /* 6 */
- name
-) VALUES (
- 'Ubuntu 10.04 x86_64'
-);
-
-INSERT INTO products ( /* 7 */
- name
-) VALUES (
- 'Ubuntu 10.10'
-);
-
-INSERT INTO products ( /* 8 */
- name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products ( /* 9 */
- name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products ( /* 10 */
- name
-) VALUES (
- 'Ubuntu 11.04'
-);
-
-INSERT INTO products ( /* 11 */
- name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products ( /* 12 */
- name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products ( /* 13 */
- name
-) VALUES (
- 'Ubuntu 11.10'
-);
-
-INSERT INTO products ( /* 14 */
- name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-INSERT INTO products ( /* 15 */
- name
-) VALUES (
- 'Ubuntu 11.10 x86_64'
-);
-
-INSERT INTO products ( /* 16 */
- name
-) VALUES (
- 'Ubuntu 12.04'
-);
-
-INSERT INTO products ( /* 17 */
- name
-) VALUES (
- 'Ubuntu 12.04 i686'
-);
-
-INSERT INTO products ( /* 18 */
- name
-) VALUES (
- 'Ubuntu 12.04 x86_64'
-);
-
-INSERT INTO products ( /* 19 */
- name
-) VALUES (
- 'Ubuntu 12.10'
-);
-
-INSERT INTO products ( /* 20 */
- name
-) VALUES (
- 'Ubuntu 12.10 i686'
-);
-
-INSERT INTO products ( /* 21 */
- name
-) VALUES (
- 'Ubuntu 12.10 x86_64'
-);
-
-INSERT INTO products ( /* 22 */
- name
-) VALUES (
- 'Ubuntu 13.04'
-);
-
-INSERT INTO products ( /* 23 */
- name
-) VALUES (
- 'Ubuntu 13.04 i686'
-);
-
-INSERT INTO products ( /* 24 */
- name
-) VALUES (
- 'Ubuntu 13.04 x86_64'
-);
-
-INSERT INTO products ( /* 25 */
- name
-) VALUES (
- 'Android 4.1.1'
-);
-
-INSERT INTO products ( /* 26 */
- name
-) VALUES (
- 'Android 4.2.1'
-);
-
-/* Directories */
-
-INSERT INTO directories ( /* 1 */
- path
-) VALUES (
- '/bin'
-);
-
-INSERT INTO directories ( /* 2 */
- path
-) VALUES (
- '/etc'
-);
-
-INSERT INTO directories ( /* 3 */
- path
-) VALUES (
- '/lib'
-);
-
-INSERT INTO directories ( /* 4 */
- path
-) VALUES (
- '/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 5 */
- path
-) VALUES (
- '/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 6 */
- path
-) VALUES (
- '/lib/xtables'
-);
-
-INSERT INTO directories ( /* 7 */
- path
-) VALUES (
- '/sbin'
-);
-
-INSERT INTO directories ( /* 8 */
- path
-) VALUES (
- '/usr/bin'
-);
-
-INSERT INTO directories ( /* 9 */
- path
-) VALUES (
- '/usr/lib'
-);
-
-INSERT INTO directories ( /* 10 */
- path
-) VALUES (
- '/usr/lib/i386-linux-gnu'
-);
-
-INSERT INTO directories ( /* 11 */
- path
-) VALUES (
- '/usr/lib/x86_64-linux-gnu'
-);
-
-INSERT INTO directories ( /* 12 */
- path
-) VALUES (
- '/usr/sbin'
-);
-
-/* Files */
-
-INSERT INTO files ( /* 1 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 2 */
- name, dir
-) VALUES (
- 'libcrypto.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 3 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 5
-);
-
-INSERT INTO files ( /* 4 */
- name, dir
-) VALUES (
- 'libssl.so.1.0.0', 11
-);
-
-INSERT INTO files ( /* 5 */
- name, dir
-) VALUES (
- 'openssl', 8
-);
-
-INSERT INTO files ( /* 6 */
- name, dir
-) VALUES (
- 'tnc_config', 2
-);
-
-/* Algorithms */
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 65536, 'SHA1-IMA'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 32768, 'SHA1'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 16384, 'SHA256'
-);
-
-INSERT INTO algorithms (
- id, name
-) VALUES (
- 8192, 'SHA384'
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 3, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500'
-);
-
-INSERT INTO file_hashes (
- product, file, algo, hash
-) VALUES (
- 21, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668'
-);
-
-/* Packages */
-
-INSERT INTO packages ( /* 1 */
- name
-) VALUES (
- 'libssl-dev'
-);
-
-INSERT INTO packages ( /* 2 */
- name
-) VALUES (
- 'libssl1.0.0'
-);
-
-INSERT INTO packages ( /* 3 */
- name
-) VALUES (
- 'libssl1.0.0-dbg'
-);
-
-INSERT INTO packages ( /* 4 */
- name
-) VALUES (
- 'openssl'
-);
-
-/* Versions */
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 1, 1, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 2, 1, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 3, 1, '1.0.1e-2', 1366531494
-);
-
-INSERT INTO versions (
- package, product, release, time
-) VALUES (
- 4, 1, '1.0.1e-2', 1366531494
-);
-
-/* Components */
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 1, 33 /* ITA TGRUB */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 2, 33 /* ITA TBOOT */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 33 /* ITA IMA - Trusted Platform */
-);
-
-INSERT INTO components (
- vendor_id, name, qualifier
-) VALUES (
- 36906, 3, 34 /* ITA IMA - Operating System */
-);
-
-/* Groups */
-
-INSERT INTO groups ( /* 1 */
- name, parent
-) VALUES (
- 'Debian i686', 6
-);
-
-INSERT INTO groups ( /* 2 */
- name, parent
-) VALUES (
- 'Debian x86_64', 6
-);
-
-INSERT INTO groups ( /* 3 */
- name, parent
-) VALUES (
- 'Ubuntu i686', 6
-);
-
-INSERT INTO groups ( /* 4 */
- name, parent
-) VALUES (
- 'Ubuntu x86_64', 6
-);
-
-INSERT INTO groups ( /* 5 */
- name, parent
-) VALUES (
- 'Android', 7
-);
-
-INSERT INTO groups ( /* 6 */
- name, parent
-) VALUES (
- 'Linux', 7
-);
-
-INSERT INTO groups ( /* 7 */
- name
-) VALUES (
- 'Default'
-);
-
-/* Default Product Groups */
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 1, 2
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 2, 3
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 5
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 8
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 11
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 14
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 17
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 20
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 3, 23
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 6
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 9
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 12
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 15
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 18
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 21
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 4, 24
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 25
-);
-
-INSERT INTO groups_product_defaults (
- group_id, product_id
-) VALUES (
- 5, 26
-);
-
-/* Policies */
-
-INSERT INTO policies ( /* 1 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 1, 'Installed Packages', 2, 2
-);
-
-INSERT INTO policies ( /* 2 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 2, 'Unknown Source', 2, 2
-);
-
-INSERT INTO policies ( /* 3 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 3, 'IP Forwarding Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 4 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 4, 'Default Factory Password Enabled', 1, 1
-);
-
-INSERT INTO policies ( /* 5 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
-);
-
-INSERT INTO policies ( /* 6 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
-);
-
-INSERT INTO policies ( /* 7 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/bin/openssl', 5, 2, 2
-);
-
-INSERT INTO policies ( /* 8 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 11, 'No Open TCP Ports', 1, 1
-);
-
-INSERT INTO policies ( /* 9 */
- type, name, rec_fail, rec_noresult
-) VALUES (
- 13, 'No Open UDP Ports', 1, 1
-);
-
-INSERT INTO policies ( /* 10 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 7, 'Metadata of /etc/tnc_config', 6, 0, 0
-);
-
-INSERT INTO policies ( /* 11 */
- type, name, dir, rec_fail, rec_noresult
-) VALUES (
- 8, 'Measure as reference /bin', 1, 0, 0
-);
-
-INSERT INTO policies ( /* 12 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
-);
-
-INSERT INTO policies ( /* 13 */
- type, name, file, rec_fail, rec_noresult
-) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
-);
-
-
-/* Enforcements */
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 1, 7, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 2, 5, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 3, 6, 0
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 5, 4, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 6, 4, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 7, 6, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 8, 7, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 9, 7, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 10, 6, 60
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 11, 6, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 12, 2, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 13, 2, 86400
-);
-
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
index 032ae7e91..1a0cc202e 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -20,10 +20,5 @@ libimcv {
imv-test {
rounds = 1
}
- imv-scanner {
- closed_port_policy = yes
- udp_ports = 500 4500
- tcp_ports = 22
- }
}
}