summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Android.common.mk2
-rw-r--r--ChangeLog6
-rw-r--r--Doxyfile.in12
-rw-r--r--Makefile.am5
-rw-r--r--Makefile.in6
-rw-r--r--NEWS58
-rw-r--r--README2
-rw-r--r--TODO2
-rw-r--r--conf/plugins/tpm.conf4
-rw-r--r--conf/plugins/tpm.opt4
-rw-r--r--conf/strongswan.conf.5.main5
-rwxr-xr-xconfigure23
-rw-r--r--configure.ac5
-rw-r--r--scripts/dh_speed.c1
-rw-r--r--src/_copyright/_copyright.c2
-rw-r--r--src/charon-cmd/charon-cmd.c9
-rw-r--r--src/charon-systemd/charon-systemd.c16
-rw-r--r--src/conftest/hooks/set_proposal_number.c2
-rw-r--r--src/ipsec/_ipsec.82
-rw-r--r--src/libcharon/bus/bus.c5
-rw-r--r--src/libcharon/bus/bus.h4
-rw-r--r--src/libcharon/bus/listeners/listener.h4
-rw-r--r--src/libcharon/plugins/bypass_lan/bypass_lan_listener.c26
-rw-r--r--src/libcharon/plugins/dhcp/dhcp_socket.c10
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius.c12
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_accounting.c59
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_accounting.h10
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.c32
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.h11
-rw-r--r--src/libcharon/plugins/ha/ha_attribute.c13
-rw-r--r--src/libcharon/plugins/ha/ha_dispatcher.c4
-rw-r--r--src/libcharon/plugins/ha/ha_ike.c6
-rw-r--r--src/libcharon/plugins/ha/ha_message.c2
-rw-r--r--src/libcharon/plugins/ha/ha_message.h2
-rw-r--r--src/libcharon/plugins/ha/ha_segments.c7
-rw-r--r--src/libcharon/plugins/ha/ha_segments.h7
-rw-r--r--src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c17
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c27
-rw-r--r--src/libcharon/plugins/vici/libvici.h8
-rw-r--r--src/libcharon/plugins/vici/vici_config.c7
-rw-r--r--src/libcharon/processing/jobs/adopt_children_job.c52
-rw-r--r--src/libcharon/sa/child_sa.c4
-rw-r--r--src/libcharon/sa/ike_sa.c45
-rw-r--r--src/libcharon/sa/ike_sa.h17
-rw-r--r--src/libcharon/sa/ike_sa_manager.c2
-rw-r--r--src/libcharon/sa/ikev1/phase1.c3
-rw-r--r--src/libcharon/sa/ikev1/task_manager_v1.c134
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c1
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c1
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c9
-rw-r--r--src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c97
-rw-r--r--src/libcharon/sa/ikev2/task_manager_v2.c227
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c24
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.c16
-rw-r--r--src/libcharon/sa/task_manager.h19
-rw-r--r--src/libcharon/tests/suites/test_child_rekey.c46
-rw-r--r--src/libimcv/imv/data.sql44
-rw-r--r--src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag (renamed from src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag)4
-rw-r--r--src/libimcv/plugins/imv_attestation/imv_attestation_agent.c2
-rw-r--r--src/libpttls/pt_tls_client.c1
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c1
-rw-r--r--src/libstrongswan/credentials/builder.c1
-rw-r--r--src/libstrongswan/credentials/builder.h2
-rw-r--r--src/libstrongswan/credentials/keys/private_key.h13
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c2
-rw-r--r--src/libstrongswan/credentials/keys/signature_params.c50
-rw-r--r--src/libstrongswan/credentials/keys/signature_params.h19
-rw-r--r--src/libstrongswan/crypto/mac.h4
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords_static.c24
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords_static.h2
-rw-r--r--src/libstrongswan/plugins/agent/agent_private_key.c133
-rw-r--r--src/libstrongswan/plugins/botan/Makefile.am4
-rw-r--r--src/libstrongswan/plugins/botan/Makefile.in13
-rw-r--r--src/libstrongswan/plugins/botan/botan_aead.c (renamed from src/libstrongswan/plugins/botan/botan_gcm.c)219
-rw-r--r--src/libstrongswan/plugins/botan/botan_aead.h (renamed from src/libstrongswan/plugins/botan/botan_gcm.h)17
-rw-r--r--src/libstrongswan/plugins/botan/botan_crypter.c6
-rw-r--r--src/libstrongswan/plugins/botan/botan_ec_public_key.c19
-rw-r--r--src/libstrongswan/plugins/botan/botan_ed_private_key.c279
-rw-r--r--src/libstrongswan/plugins/botan/botan_ed_private_key.h63
-rw-r--r--src/libstrongswan/plugins/botan/botan_ed_public_key.c202
-rw-r--r--src/libstrongswan/plugins/botan/botan_ed_public_key.h51
-rw-r--r--src/libstrongswan/plugins/botan/botan_plugin.c77
-rw-r--r--src/libstrongswan/plugins/botan/botan_rsa_private_key.c24
-rw-r--r--src/libstrongswan/plugins/botan/botan_rsa_public_key.c66
-rw-r--r--src/libstrongswan/plugins/botan/botan_util.c35
-rw-r--r--src/libstrongswan/plugins/botan/botan_util.h12
-rw-r--r--src/libstrongswan/plugins/botan/botan_util_keys.c38
-rw-r--r--src/libstrongswan/plugins/curve25519/curve25519_public_key.c110
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c4
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c6
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c6
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c6
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c7
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_database.c10
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.am5
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in11
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crl.c21
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ed_private_key.c356
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ed_private_key.h58
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ed_public_key.c304
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ed_public_key.h38
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c53
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rng.c11
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c7
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c7
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_util.c8
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_util.h4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x509.c14
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c256
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h37
-rw-r--r--src/libstrongswan/plugins/sshkey/sshkey_builder.c35
-rw-r--r--src/libstrongswan/plugins/sshkey/sshkey_encoder.c38
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.am1
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors.h2
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c40
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c2
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c43
-rw-r--r--src/libstrongswan/settings/settings_lexer.c898
-rw-r--r--src/libstrongswan/settings/settings_lexer.l5
-rw-r--r--src/libstrongswan/tests/Makefile.am1
-rw-r--r--src/libstrongswan/tests/Makefile.in19
-rw-r--r--src/libstrongswan/tests/suites/test_ed25519.c84
-rw-r--r--src/libstrongswan/tests/suites/test_ed448.c654
-rw-r--r--src/libstrongswan/tests/suites/test_rsa.c2
-rw-r--r--src/libstrongswan/tests/suites/test_signature_params.c61
-rw-r--r--src/libstrongswan/tests/tests.h1
-rw-r--r--src/libstrongswan/utils/chunk.h2
-rw-r--r--src/libstrongswan/utils/leak_detective.c42
-rw-r--r--src/libtpmtss/plugins/tpm/tpm_private_key.c10
-rw-r--r--src/libtpmtss/tpm_tss.h12
-rw-r--r--src/libtpmtss/tpm_tss_trousers.c7
-rw-r--r--src/libtpmtss/tpm_tss_tss2_v1.c137
-rw-r--r--src/libtpmtss/tpm_tss_tss2_v2.c133
-rw-r--r--src/pki/commands/acert.c5
-rw-r--r--src/pki/commands/issue.c5
-rw-r--r--src/pki/commands/req.c5
-rw-r--r--src/pki/commands/self.c5
-rw-r--r--src/pki/commands/signcrl.c6
-rw-r--r--src/pki/pki.c28
-rw-r--r--src/pki/pki.h3
-rw-r--r--src/pool/pool.c2
-rw-r--r--src/pt-tls-client/pt-tls-client.1.in4
-rw-r--r--src/scepclient/scepclient.c9
-rwxr-xr-xsrc/sec-updater/sec-updater.sh58
-rw-r--r--src/starter/keywords.c24
-rw-r--r--src/starter/keywords.h2
-rw-r--r--src/starter/parser/lexer.c868
-rw-r--r--src/starter/parser/lexer.l5
-rw-r--r--src/stroke/stroke_keywords.c26
-rw-r--r--src/stroke/stroke_keywords.h2
-rw-r--r--src/sw-collector/sw-collector.c3
-rw-r--r--src/swanctl/commands/load_all.c5
-rw-r--r--src/swanctl/commands/load_authorities.c11
-rw-r--r--src/swanctl/commands/load_conns.c20
-rw-r--r--src/swanctl/commands/load_creds.c20
-rw-r--r--src/swanctl/commands/load_pools.c5
-rw-r--r--src/swanctl/commands/rekey.c2
-rw-r--r--src/swanctl/commands/terminate.c2
-rw-r--r--src/swanctl/swanctl.c44
-rw-r--r--src/swanctl/swanctl.h52
-rw-r--r--testing/config/kernel/config-4.192690
-rw-r--r--testing/config/kvm/alice.xml6
-rw-r--r--testing/config/kvm/bob.xml2
-rw-r--r--testing/config/kvm/carol.xml2
-rw-r--r--testing/config/kvm/dave.xml2
-rw-r--r--testing/config/kvm/moon.xml2
-rw-r--r--testing/config/kvm/sun.xml2
-rw-r--r--testing/config/kvm/venus.xml2
-rw-r--r--testing/config/kvm/winnetou.xml2
-rwxr-xr-xtesting/do-tests36
-rw-r--r--testing/hosts/alice/etc/freeradius/3.0/clients.conf5
-rw-r--r--testing/hosts/alice/etc/freeradius/3.0/radiusd.conf99
-rw-r--r--testing/hosts/alice/etc/freeradius/dictionary2
-rw-r--r--testing/hosts/alice/etc/freeradius/radiusd.conf2
-rw-r--r--testing/hosts/default/etc/ssh/sshd_config2
-rwxr-xr-xtesting/hosts/default/usr/local/bin/init_collector2
-rw-r--r--testing/hosts/venus/etc/default/isc-dhcp-server3
-rw-r--r--testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf1
-rw-r--r--testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text4
-rw-r--r--testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf24
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf22
-rw-r--r--testing/hosts/winnetou/etc/openssl/monster/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/openssl.cnf22
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/openssl.cnf20
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf24
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/openssl.cnf22
-rwxr-xr-xtesting/scripts/build-baseimage41
-rwxr-xr-xtesting/scripts/build-guestimages7
-rwxr-xr-xtesting/scripts/build-rootimage5
-rw-r--r--testing/scripts/recipes/001_libtnc.mk31
-rw-r--r--testing/scripts/recipes/002_tnc-fhh.mk35
-rw-r--r--testing/scripts/recipes/003_freeradius.mk43
-rw-r--r--testing/scripts/recipes/004_hostapd.mk39
-rw-r--r--testing/scripts/recipes/004_wpa_supplicant.mk39
-rw-r--r--testing/scripts/recipes/005_anet.mk9
-rw-r--r--testing/scripts/recipes/006_tkm-rpc.mk9
-rw-r--r--testing/scripts/recipes/007_x509-ada.mk9
-rw-r--r--testing/scripts/recipes/008_xfrm-ada.mk9
-rw-r--r--testing/scripts/recipes/009_xfrm-proxy.mk9
-rw-r--r--testing/scripts/recipes/010_tkm.mk9
-rw-r--r--testing/scripts/recipes/011_botan.mk12
-rw-r--r--testing/scripts/recipes/patches/freeradius-eap-sim-identity30
-rw-r--r--testing/scripts/recipes/patches/freeradius-tnc-fhh6687
-rw-r--r--testing/scripts/recipes/patches/hostapd-config38
-rw-r--r--testing/scripts/recipes/patches/tnc-fhh-tncsim12
-rw-r--r--testing/scripts/recipes/patches/wpa_supplicant-eap-tnc47
-rw-r--r--testing/testing.conf16
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/description.txt10
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/evaltest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem3
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem13
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem11
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem3
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem13
-rw-r--r--testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem11
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/posttest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/pretest.dat9
-rwxr-xr-xtesting/tests/botan/net2net-ed25519/test.conf25
-rw-r--r--testing/tests/botan/net2net-pkcs12/description.txt8
-rw-r--r--testing/tests/botan/net2net-pkcs12/evaltest.dat5
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 (renamed from testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12)bin3661 -> 3661 bytes
-rwxr-xr-xtesting/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 (renamed from testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12)bin3661 -> 3661 bytes
-rwxr-xr-xtesting/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/botan/net2net-pkcs12/posttest.dat6
-rw-r--r--testing/tests/botan/net2net-pkcs12/pretest.dat9
-rw-r--r--testing/tests/botan/net2net-pkcs12/test.conf (renamed from testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf)4
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/description.txt8
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/evaltest.dat5
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem39
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem28
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem26
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf9
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem39
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem28
-rw-r--r--testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem26
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/posttest.dat5
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/pretest.dat7
-rwxr-xr-xtesting/tests/botan/net2net-sha3-rsa-cert/test.conf25
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default56
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default53
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/posttest.dat2
-rw-r--r--testing/tests/ikev1/xauth-rsa-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf9
-rw-r--r--testing/tests/ikev2/host2host-cert/description.txt6
-rw-r--r--testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat2
-rw-r--r--testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default14
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat6
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat6
-rw-r--r--testing/tests/ikev2/nat-rw-psk/description.txt3
-rw-r--r--testing/tests/ikev2/nat-rw/description.txt2
-rw-r--r--testing/tests/ikev2/net2net-psk/description.txt5
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt14
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/description.txt13
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users4
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/description.txt12
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt16
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf)0
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/description.txt16
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/description.txt23
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/description.txt25
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/pretest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/description.txt13
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap16
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default55
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users0
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default64
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/posttest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/pretest.dat2
-rw-r--r--testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/host2host-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/host2host-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat2
-rw-r--r--testing/tests/ipv6/rw-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-psk-ikev1/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-psk-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat4
-rw-r--r--testing/tests/ipv6/transport-ikev1/evaltest.dat2
-rw-r--r--testing/tests/ipv6/transport-ikev2/evaltest.dat2
-rw-r--r--testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/description.txt7
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/posttest.dat5
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/pretest.dat8
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat14
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/description.txt10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/description.txt7
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat12
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/description.txt16
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat26
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/description.txt11
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat17
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-blowfish/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/description.txt7
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/posttest.dat5
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/pretest.dat8
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt13
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/description.txt8
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat14
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-high/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/description.txt10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat15
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat10
-rw-r--r--testing/tests/openssl-ikev2/alg-ecp-low/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/description.txt2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf4
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der)bin952 -> 952 bytes
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der (renamed from testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der)bin951 -> 951 bytes
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/posttest.dat9
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/pretest.dat14
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/test.conf6
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/description.txt7
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat16
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem)0
-rwxr-xr-xtesting/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem (renamed from testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem)0
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat11
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat7
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc19
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf24
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc15
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc19
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat9
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/description.txt4
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat6
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12bin0 -> 3661 bytes
-rwxr-xr-xtesting/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12bin0 -> 3661 bytes
-rwxr-xr-xtesting/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat16
-rw-r--r--testing/tests/openssl-ikev2/net2net-pkcs12/test.conf6
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/description.txt9
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/evaltest.dat13
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/posttest.dat8
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/pretest.dat13
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat10
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem20
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem7
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat4
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/description.txt12
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem7
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem5
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem5
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/description.txt12
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat11
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem15
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem19
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush21
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf18
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat6
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat11
-rw-r--r--testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat4
-rw-r--r--testing/tests/sql/rw-psk-ipv6/evaltest.dat4
-rwxr-xr-xtesting/tests/swanctl/config-payload/evaltest.dat8
-rw-r--r--testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf9
-rwxr-xr-xtesting/tests/swanctl/frags-ipv6/evaltest.dat4
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/description.txt6
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/evaltest.dat6
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf30
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf30
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/pretest.dat7
-rwxr-xr-xtesting/tests/swanctl/host2host-cert/test.conf25
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/description.txt6
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/evaltest.dat6
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf31
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf31
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/pretest.dat7
-rwxr-xr-xtesting/tests/swanctl/host2host-transport/test.conf25
-rwxr-xr-xtesting/tests/swanctl/ip-pool-db/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-pool/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/description.txt14
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/evaltest.dat35
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules43
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf48
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf27
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/posttest.dat18
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools-db/pretest.dat30
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/ip-two-pools-db/test.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/test.conf)12
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/description.txt9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/evaltest.dat18
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf26
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules43
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf55
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/posttest.dat8
-rwxr-xr-xtesting/tests/swanctl/ip-two-pools/pretest.dat11
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/ip-two-pools/test.conf (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf)10
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files3
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default13
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat6
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat2
-rw-r--r--testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat6
-rw-r--r--testing/tests/swanctl/nat-rw-psk/description.txt8
-rw-r--r--testing/tests/swanctl/nat-rw-psk/evaltest.dat14
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf33
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf36
-rw-r--r--testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/nat-rw-psk/posttest.dat7
-rw-r--r--testing/tests/swanctl/nat-rw-psk/pretest.dat16
-rw-r--r--testing/tests/swanctl/nat-rw-psk/test.conf25
-rw-r--r--testing/tests/swanctl/nat-rw/description.txt8
-rw-r--r--testing/tests/swanctl/nat-rw/evaltest.dat14
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf7
-rwxr-xr-xtesting/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/nat-rw/posttest.dat7
-rw-r--r--testing/tests/swanctl/nat-rw/pretest.dat13
-rw-r--r--testing/tests/swanctl/nat-rw/test.conf25
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/net2net-psk/description.txt (renamed from testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt)5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf55
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf40
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/posttest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/pretest.dat9
-rwxr-xr-xtesting/tests/swanctl/net2net-psk/test.conf25
-rwxr-xr-xtesting/tests/swanctl/rw-cert-pss/evaltest.dat8
-rwxr-xr-xtesting/tests/swanctl/rw-cert/description.txt3
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt11
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf)8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf)17
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-aka-rsa/test.conf (renamed from testing/tests/openssl-ikev2/alg-aes-gcm/test.conf)10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/description.txt10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf28
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-id-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/test.conf)8
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf)17
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf)14
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/pretest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-md5-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf34
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf39
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-md5-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt10
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat11
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf)13
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf40
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/description.txt (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt)10
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf22
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/posttest.dat (renamed from testing/tests/tnc/tnccs-11-fhh/posttest.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/pretest.dat (renamed from testing/tests/tnc/tnccs-20-fhh/pretest.dat)13
-rw-r--r--testing/tests/swanctl/rw-eap-peap-md5/test.conf (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat (renamed from testing/tests/tnc/tnccs-20-fhh/posttest.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat (renamed from testing/tests/tnc/tnccs-11-fhh/pretest.dat)13
-rw-r--r--testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/description.txt9
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf)11
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules)0
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius-block/posttest.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/pretest.dat14
-rw-r--r--testing/tests/swanctl/rw-eap-peap-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/description.txt13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default58
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users1
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default53
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat)0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-id-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/description.txt15
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default72
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius/posttest.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat16
-rw-r--r--testing/tests/swanctl/rw-eap-sim-only-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-radius/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/description.txt15
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default72
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat (renamed from testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat)3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/posttest.dat (renamed from testing/tests/tnc/tnccs-11-radius-pts/posttest.dat)4
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/pretest.dat16
-rw-r--r--testing/tests/swanctl/rw-eap-sim-radius/test.conf (renamed from testing/tests/tnc/tnccs-20-fhh/test.conf)6
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/description.txt8
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat3
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-sim-rsa/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/description.txt (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt)3
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/evaltest.dat10
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf20
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/pretest.dat (renamed from testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-tls-only/test.conf25
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/description.txt7
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat9
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap16
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default55
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users0
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default41
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users1
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules (renamed from testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules)10
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf26
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/posttest.dat5
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/pretest.dat8
-rw-r--r--testing/tests/swanctl/rw-eap-tls-radius/test.conf29
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/description.txt11
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat (renamed from testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf)16
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf20
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf)16
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf21
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf37
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/posttest.dat (renamed from testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat)6
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/pretest.dat13
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-only/test.conf (renamed from testing/tests/openssl-ikev2/alg-blowfish/test.conf)4
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/description.txt9
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat17
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap21
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default59
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel38
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users2
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf (renamed from testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf)7
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf5
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default (renamed from testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default)0
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel (renamed from testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel)0
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users2
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf9
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf35
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf9
-rwxr-xr-x[-rw-r--r--]testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf (renamed from testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf)18
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules32
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf27
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat7
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat14
-rw-r--r--testing/tests/swanctl/rw-eap-ttls-radius/test.conf (renamed from testing/tests/tnc/tnccs-11-fhh/test.conf)7
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/evaltest.dat18
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf22
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config4
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf22
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config4
-rwxr-xr-xtesting/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf64
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/description.txt14
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/evaltest.dat15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf27
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/pretest.dat21
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/description.txt14
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat18
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql29
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf13
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf19
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf20
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf53
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/pretest.dat28
-rw-r--r--testing/tests/tnc/tnccs-11-radius/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-11-radius/evaltest.dat18
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf25
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel32
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf30
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf53
-rw-r--r--testing/tests/tnc/tnccs-11-radius/pretest.dat22
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/description.txt12
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/evaltest.dat2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel32
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf11
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf1
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf10
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf1127
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/posttest.dat5
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/pretest.dat11
-rw-r--r--testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql39
-rw-r--r--testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/evaltest.dat18
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf18
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf17
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon158
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf64
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default1
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default1
1204 files changed, 17040 insertions, 15378 deletions
diff --git a/Android.common.mk b/Android.common.mk
index 3c71998e6..8e435982c 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.7.1"
+strongswan_VERSION := "5.7.2"
diff --git a/ChangeLog b/ChangeLog
index 53a9ec244..3e5641cba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,5 @@
A summary of changes is available in the NEWS file. For a more
-detailed Changelog, use the repository (see HACKING) or the
-online interface available at http://git.strongswan.org.
+detailed Changelog, refer to the completed versions on the project's roadmap
+(https://wiki.strongswan.org/projects/strongswan/roadmap) or use the Git
+repository (see HACKING) or its web interface available at
+https://git.strongswan.org.
diff --git a/Doxyfile.in b/Doxyfile.in
index 6c59d86c9..a1f3f8819 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1789,18 +1789,6 @@ GENERATE_XML = NO
XML_OUTPUT = xml
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD =
-
# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
diff --git a/Makefile.am b/Makefile.am
index 54b822050..958edc6fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,6 +24,11 @@ config_includedir = $(ipseclibdir)/include
nodist_config_include_HEADERS = config.h
endif
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+ --with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
# we leave config files behind intentionally so prevent distcheck from complaining
distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
diff --git a/Makefile.in b/Makefile.in
index 7e06889c9..bbb0d4c1d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -492,6 +492,12 @@ MAINTAINERCLEANFILES = Android.common.mk
@USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include
@USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+ --with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
+
# we leave config files behind intentionally so prevent distcheck from complaining
distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
all: $(BUILT_SOURCES) config.h
diff --git a/NEWS b/NEWS
index 18bf7e3db..b95b0fcf4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,53 @@
+strongswan-5.7.2
+----------------
+
+- Private key implementations may optionally provide a list of supported
+ signature schemes, which is used by the tpm plugin because for each key on a
+ TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
+
+- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
+ length (as defined by the length of the key and hash). However, if the TPM is
+ FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
+ for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
+ necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
+ use the maximum salt length.
+
+- swanctl now accesses directories for credentials relative to swanctl.conf, in
+ particular, when it's loaded from a custom location via --file argument. The
+ base directory that's used if --file is not given is configurable at runtime
+ via SWANCTL_DIR environment variable.
+
+- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
+ Access-Request messages, simplifying associating database entries for IP
+ leases and accounting with sessions.
+
+- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
+ don't claim them, allowing releasing them early on connection errors.
+
+- Selectors installed on transport mode SAs by the kernel-netlink plugin are
+ updated on IP address changes (e.g. via MOBIKE).
+
+- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
+ For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
+ authentication has to be disabled via charon.signature_authentication.
+
+- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
+
+- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
+ and signatures when built against OpenSSL 1.1.1.
+
+- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
+
+- The mysql plugin now properly handles database connections with transactions
+ under heavy load.
+
+- IP addresses in HA pools are now distributed evenly among all segments.
+
+- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
+ from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
+ the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
+
+
strongswan-5.7.1
----------------
@@ -1031,7 +1081,7 @@ strongswan-5.0.3
charon-tkm does not result in the compromise of cryptographic keys.
The extracted functionality has been implemented from scratch in a minimal TCB
(trusted computing base) in the Ada programming language. Further information
- can be found at http://www.codelabs.ch/tkm/.
+ can be found at https://www.codelabs.ch/tkm/.
strongswan-5.0.2
----------------
@@ -1169,7 +1219,7 @@ strongswan-5.0.0
pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
mode. Information for interoperability and migration is available at
- http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+ https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
- Charon's bus_t has been refactored so that loggers and other listeners are
now handled separately. The single lock was previously cause for deadlocks
@@ -1600,7 +1650,7 @@ strongswan-4.4.0
- The IKEv2 High Availability plugin has been integrated. It provides
load sharing and failover capabilities in a cluster of currently two nodes,
based on an extend ClusterIP kernel module. More information is available at
- http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+ https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
The development of the High Availability functionality was sponsored by
secunet Security Networks AG.
@@ -2308,7 +2358,7 @@ strongswan-4.1.7
- Preview of strongSwan Manager, a web based configuration and monitoring
application. It uses a new XML control interface to query the IKEv2 daemon
- (see http://wiki.strongswan.org/wiki/Manager).
+ (see https://wiki.strongswan.org/wiki/Manager).
- Experimental SQLite configuration backend which will provide the configuration
interface for strongSwan Manager in future releases.
diff --git a/README b/README
index 8d8febede..a19caf37a 100644
--- a/README
+++ b/README
@@ -9,7 +9,7 @@ which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatil
IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
**stroke** configuration interface is described [**here**](README_LEGACY.md).
For more detailed information consult the man pages and
-[**our wiki**](http://wiki.strongswan.org).
+[**our wiki**](https://wiki.strongswan.org).
## Quickstart ##
diff --git a/TODO b/TODO
index 186d4d02b..41ea04099 100644
--- a/TODO
+++ b/TODO
@@ -4,5 +4,5 @@
A roadmap of the strongSwan project is available online at:
- http://wiki.strongswan.org/projects/strongswan/roadmap
+ https://wiki.strongswan.org/projects/strongswan/roadmap
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
index 1be961e89..91d533a1e 100644
--- a/conf/plugins/tpm.conf
+++ b/conf/plugins/tpm.conf
@@ -1,5 +1,9 @@
tpm {
+ # Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+ # salt length instead of maximum salt length with RSAPSS padding.
+ # fips_186_4 = no
+
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
index df7adb098..06c88861e 100644
--- a/conf/plugins/tpm.opt
+++ b/conf/plugins/tpm.opt
@@ -1,6 +1,10 @@
charon.plugins.tpm.use_rng = no
Whether the TPM should be used as RNG.
+charon.plugins.tpm.fips_186_4 = no
+ Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+ salt length instead of maximum salt length with RSAPSS padding.
+
charon.plugins.tpm.tcti.name = device|tabrmd
Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 486ee5af9..aea62fbae 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -1685,6 +1685,11 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
Send a PB\-TNC batch with a modified PB\-TNC version.
.TP
+.BR charon.plugins.tpm.fips_186_4 " [no]"
+Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
+length instead of maximum salt length with RSAPSS padding.
+
+.TP
.BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
Name of TPM 2.0 TCTI library. Valid values:
.RI "" "tabrmd" ","
diff --git a/configure b/configure
index f66cae07f..be0c1d92a 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.7.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.7.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.7.1'
-PACKAGE_STRING='strongSwan 5.7.1'
+PACKAGE_VERSION='5.7.2'
+PACKAGE_STRING='strongSwan 5.7.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -2108,7 +2108,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 5.7.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.7.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2179,7 +2179,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 5.7.1:";;
+ short | recursive ) echo "Configuration of strongSwan 5.7.2:";;
esac
cat <<\_ACEOF
@@ -2666,7 +2666,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 5.7.1
+strongSwan configure 5.7.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3188,7 +3188,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.7.1, which was
+It was created by strongSwan $as_me 5.7.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4051,7 +4051,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='5.7.1'
+ VERSION='5.7.2'
cat >>confdefs.h <<_ACEOF
@@ -23080,6 +23080,9 @@ $as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&
else
# required for libFuzzer
FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+ if test "$SANITIZER" = "coverage"; then
+ FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+ fi
fi
fi
@@ -27550,7 +27553,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 5.7.1, which was
+This file was extended by strongSwan $as_me 5.7.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -27616,7 +27619,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 5.7.1
+strongSwan config.status 5.7.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 673393f8d..8b2f0216d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
-AC_INIT([strongSwan],[5.7.1])
+AC_INIT([strongSwan],[5.7.2])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
@@ -1292,6 +1292,9 @@ if test x$fuzzing = xtrue; then
else
# required for libFuzzer
FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+ if test "$SANITIZER" = "coverage"; then
+ FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+ fi
AC_SUBST(FUZZING_LDFLAGS)
fi
fi
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index f2f98d7af..235772faf 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -47,6 +47,7 @@ struct {
{"ecp192", ECP_192_BIT},
{"ecp224", ECP_224_BIT},
{"curve25519", CURVE_25519},
+ {"curve448", CURVE_448},
};
static void start_timing(struct timespec *start)
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 806f78062..038e60e87 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -84,11 +84,9 @@ main(int argc, char *argv[])
case 'h': /* help */
printf("%s\n", usage);
exit(0);
- break;
case 'v': /* version */
printf("%s strongSwan "VERSION"\n", me);
exit(0);
- break;
case '?':
default:
errflg = 1;
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 1293ec4c0..e85e21d5c 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -348,6 +348,9 @@ int main(int argc, char *argv[])
{
exit(SS_RC_INITIALIZATION_FAILED);
}
+ /* register this again after loading plugins to avoid issues with libraries
+ * that register atexit() handlers */
+ atexit(libcharon_deinit);
if (!lib->caps->drop(lib->caps))
{
exit(SS_RC_INITIALIZATION_FAILED);
@@ -358,9 +361,6 @@ int main(int argc, char *argv[])
creds = cmd_creds_create();
atexit(cleanup_creds);
- /* handle all arguments */
- handle_arguments(argc, argv, FALSE);
-
if (uname(&utsname) != 0)
{
memset(&utsname, 0, sizeof(utsname));
@@ -369,6 +369,9 @@ int main(int argc, char *argv[])
VERSION, utsname.sysname, utsname.release, utsname.machine);
lib->plugins->status(lib->plugins, LEVEL_CTRL);
+ /* handle all arguments */
+ handle_arguments(argc, argv, FALSE);
+
/* add handler for SEGV and ILL,
* INT, TERM and HUP are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index d06c26974..7d4465ebf 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -322,6 +322,7 @@ int main(int argc, char *argv[])
{
struct sigaction action;
struct utsname utsname;
+ int status = SS_RC_INITIALIZATION_FAILED;
dbg = dbg_stderr;
@@ -345,16 +346,15 @@ int main(int argc, char *argv[])
sd_notifyf(0, "STATUS=integrity check of charon-systemd failed");
return SS_RC_INITIALIZATION_FAILED;
}
- atexit(libcharon_deinit);
if (!libcharon_init())
{
sd_notifyf(0, "STATUS=libcharon initialization failed");
- return SS_RC_INITIALIZATION_FAILED;
+ goto error;
}
if (!lookup_uid_gid())
{
sd_notifyf(0, "STATUS=unknown uid/gid");
- return SS_RC_INITIALIZATION_FAILED;
+ goto error;
}
/* we registered the journal logger as custom logger, which gets its
* settings from <ns>.customlog.journal, let it fallback to <ns>.journal */
@@ -370,14 +370,14 @@ int main(int argc, char *argv[])
lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns)))
{
sd_notifyf(0, "STATUS=charon initialization failed");
- return SS_RC_INITIALIZATION_FAILED;
+ goto error;
}
lib->plugins->status(lib->plugins, LEVEL_CTRL);
if (!lib->caps->drop(lib->caps))
{
sd_notifyf(0, "STATUS=dropping capabilities failed");
- return SS_RC_INITIALIZATION_FAILED;
+ goto error;
}
/* add handler for SEGV and ILL,
@@ -401,5 +401,9 @@ int main(int argc, char *argv[])
sd_notifyf(0, "STATUS=charon-systemd running, strongSwan %s, %s %s, %s",
VERSION, utsname.sysname, utsname.release, utsname.machine);
- return run();
+ status = run();
+
+error:
+ libcharon_deinit();
+ return status;
}
diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c
index dd814ad15..3fa53680c 100644
--- a/src/conftest/hooks/set_proposal_number.c
+++ b/src/conftest/hooks/set_proposal_number.c
@@ -122,7 +122,7 @@ METHOD(listener_t, message, bool,
enumerator->destroy(enumerator);
}
sa = sa_payload_create_from_proposals_v2(updated);
- list->destroy_offset(list, offsetof(proposal_t, destroy));
+ DESTROY_OFFSET_IF(list, offsetof(proposal_t, destroy));
updated->destroy_offset(updated, offsetof(proposal_t, destroy));
message->add_payload(message, (payload_t*)sa);
}
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 143342ecb..d49d6cdf6 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.7.0rc2" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan"
.
.SH NAME
.
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index f4c01c22e..b7348f0f9 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -575,7 +575,7 @@ METHOD(bus_t, message, void,
METHOD(bus_t, ike_keys, void,
private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
- ike_sa_t *rekey, shared_key_t *shared)
+ ike_sa_t *rekey, shared_key_t *shared, auth_method_t method)
{
enumerator_t *enumerator;
entry_t *entry;
@@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void,
}
entry->calling++;
keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
- nonce_i, nonce_r, rekey, shared);
+ nonce_i, nonce_r, rekey, shared,
+ method);
entry->calling--;
if (!keep)
{
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index df75683be..8a97e8dfc 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -353,10 +353,12 @@ struct bus_t {
* @param nonce_r responder's nonce
* @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
* @param shared shared key used for key derivation (IKEv1-PSK only)
+ * @param method auth method for key derivation (IKEv1-non-PSK only)
*/
void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
- ike_sa_t *rekey, shared_key_t *shared);
+ ike_sa_t *rekey, shared_key_t *shared,
+ auth_method_t method);
/**
* IKE_SA derived keys hook.
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 06057eb73..0f3b8578a 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -88,11 +88,13 @@ struct listener_t {
* @param nonce_r responder's nonce
* @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
* @param shared shared key used for key derivation (IKEv1-PSK only)
+ * @param method auth method for key derivation (IKEv1-non-PSK only)
* @return TRUE to stay registered, FALSE to unregister
*/
bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
- ike_sa_t *rekey, shared_key_t *shared);
+ ike_sa_t *rekey, shared_key_t *shared,
+ auth_method_t method);
/**
* Hook called with derived IKE_SA keys.
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
index 644cff029..1abbf7731 100644
--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
@@ -64,6 +64,7 @@ typedef struct {
private_bypass_lan_listener_t *listener;
host_t *net;
uint8_t mask;
+ char *iface;
child_cfg_t *cfg;
} bypass_policy_t;
@@ -85,6 +86,7 @@ static void bypass_policy_destroy(bypass_policy_t *this)
ts->destroy(ts);
}
this->net->destroy(this->net);
+ free(this->iface);
free(this);
}
@@ -126,6 +128,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
enumerator_t *enumerator;
hashtable_t *seen;
bypass_policy_t *found, *lookup;
+ traffic_selector_t *ts;
host_t *net;
uint8_t mask;
char *iface;
@@ -146,6 +149,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
INIT(lookup,
.net = net->clone(net),
.mask = mask,
+ .iface = strdupnull(iface),
);
found = seen->put(seen, lookup, lookup);
if (found)
@@ -160,7 +164,6 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
.mode = MODE_PASS,
};
child_cfg_t *cfg;
- traffic_selector_t *ts;
char name[128];
ts = traffic_selector_create_from_subnet(net->clone(net), mask,
@@ -176,6 +179,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
INIT(found,
.net = net->clone(net),
.mask = mask,
+ .iface = strdupnull(iface),
.cfg = cfg,
);
this->policies->put(this->policies, found, found);
@@ -186,11 +190,29 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
enumerator = this->policies->create_enumerator(this->policies);
while (enumerator->enumerate(enumerator, NULL, &lookup))
{
- if (!seen->get(seen, lookup))
+ found = seen->get(seen, lookup);
+ if (!found)
{
this->policies->remove_at(this->policies, enumerator);
bypass_policy_destroy(lookup);
}
+ else if (!streq(lookup->iface, found->iface))
+ { /* if the subnet is on multiple interfaces, we only get the last
+ * one (hopefully, they are enumerated in a consistent order) */
+ ts = traffic_selector_create_from_subnet(
+ lookup->net->clone(lookup->net),
+ lookup->mask, 0, 0, 65535);
+ DBG1(DBG_IKE, "interface change for bypass policy for %R (from %s "
+ "to %s)", ts, lookup->iface, found->iface);
+ ts->destroy(ts);
+ free(lookup->iface);
+ lookup->iface = strdupnull(found->iface);
+ /* there is currently no API to update shunts, so we remove and
+ * reinstall it to update the route */
+ charon->shunts->uninstall(charon->shunts, "bypass-lan",
+ lookup->cfg->get_name(lookup->cfg));
+ charon->shunts->install(charon->shunts, "bypass-lan", lookup->cfg);
+ }
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 1e208d094..ecd92f2ef 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -489,6 +489,16 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
offer = host_create_from_chunk(AF_INET,
chunk_from_thing(dhcp->your_address), 0);
+ if (offer->is_anyaddr(offer))
+ {
+ server = host_create_from_chunk(AF_INET,
+ chunk_from_thing(dhcp->server_address), 0);
+ DBG1(DBG_CFG, "ignoring DHCP OFFER %+H from %H", offer, server);
+ server->destroy(server);
+ offer->destroy(offer);
+ return;
+ }
+
this->mutex->lock(this->mutex);
enumerator = this->discover->create_enumerator(this->discover);
while (enumerator->enumerate(enumerator, &transaction))
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index fbbf6da83..ae1371b45 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
* Copyright (C) 2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -156,7 +156,7 @@ void eap_radius_build_attributes(radius_message_t *request)
{
ike_sa_t *ike_sa;
host_t *host;
- char buf[40], *station_id_fmt;;
+ char buf[40], *station_id_fmt, *session_id;
uint32_t value;
chunk_t chunk;
@@ -202,6 +202,14 @@ void eap_radius_build_attributes(radius_message_t *request)
host = ike_sa->get_other_host(ike_sa);
snprintf(buf, sizeof(buf), station_id_fmt, host);
request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
+
+ session_id = eap_radius_accounting_session_id(ike_sa);
+ if (session_id)
+ {
+ request->add(request, RAT_ACCT_SESSION_ID,
+ chunk_from_str(session_id));
+ free(session_id);
+ }
}
}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 92611492b..ecb2083c9 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2017 Tobias Brunner
+ * Copyright (C) 2015-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
@@ -17,6 +17,7 @@
*/
#include "eap_radius_accounting.h"
+#include "eap_radius_provider.h"
#include "eap_radius_plugin.h"
#include <time.h>
@@ -461,6 +462,37 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
}
/**
+ * Add any unclaimed IP addresses to the message
+ */
+static void add_unclaimed_ips(radius_message_t *message, ike_sa_t *ike_sa)
+{
+ eap_radius_provider_t *provider;
+ enumerator_t *enumerator;
+ host_t *vip;
+
+ provider = eap_radius_provider_get();
+ enumerator = provider->clear_unclaimed(provider,
+ ike_sa->get_unique_id(ike_sa));
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ switch (vip->get_family(vip))
+ {
+ case AF_INET:
+ message->add(message, RAT_FRAMED_IP_ADDRESS,
+ vip->get_address(vip));
+ break;
+ case AF_INET6:
+ message->add(message, RAT_FRAMED_IPV6_ADDRESS,
+ vip->get_address(vip));
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
* Add the Class attributes received in the Access-Accept message to the
* RADIUS accounting message
*/
@@ -790,6 +822,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
chunk_create(entry->sid, strlen(entry->sid)));
add_class_attributes(message, entry);
add_ike_sa_parameters(this, message, ike_sa);
+ add_unclaimed_ips(message, ike_sa);
value = htonl(entry->usage.bytes.sent);
message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
@@ -816,7 +849,6 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
value = htonl(time_monotonic(NULL) - entry->created);
message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
-
value = htonl(entry->cause);
message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
@@ -1070,8 +1102,27 @@ eap_radius_accounting_t *eap_radius_accounting_create()
return &this->public;
}
-/**
- * See header
+/*
+ * Described in header
+ */
+char *eap_radius_accounting_session_id(ike_sa_t *ike_sa)
+{
+ entry_t *entry;
+ char *sid = NULL;
+
+ if (singleton)
+ {
+ singleton->mutex->lock(singleton->mutex);
+ entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa),
+ ike_sa->get_unique_id(ike_sa));
+ sid = strdup(entry->sid);
+ singleton->mutex->unlock(singleton->mutex);
+ }
+ return sid;
+}
+
+/*
+ * Described in header
*/
void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval)
{
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index dc1edcf54..1fe1107ea 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
@@ -50,6 +50,14 @@ struct eap_radius_accounting_t {
eap_radius_accounting_t *eap_radius_accounting_create();
/**
+ * Get the Accounting session ID for the given IKE_SA.
+ *
+ * @param ike_sa IKE_SA for which to determine the session ID
+ * @return allocated session ID
+ */
+char *eap_radius_accounting_session_id(ike_sa_t *ike_sa);
+
+/**
* Schedule Accounting interim updates for the given IKE_SA.
*
* @param ike_sa IKE_SA to send updates for
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 8188bb764..defabb782 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2013 Martin Willi
* Copyright (C) 2013 revosec AG
*
@@ -131,7 +134,7 @@ static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id)
}
/**
- * Put an entry to hashtable, or destroy it ife empty
+ * Put an entry to hashtable, or destroy it if empty
*/
static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
{
@@ -494,6 +497,24 @@ METHOD(eap_radius_provider_t, add_attribute, void,
this->listener.mutex->unlock(this->listener.mutex);
}
+METHOD(eap_radius_provider_t, clear_unclaimed, enumerator_t*,
+ private_eap_radius_provider_t *this, uint32_t id)
+{
+ entry_t *entry;
+
+ this->listener.mutex->lock(this->listener.mutex);
+ entry = this->listener.unclaimed->remove(this->listener.unclaimed,
+ (void*)(uintptr_t)id);
+ this->listener.mutex->unlock(this->listener.mutex);
+ if (!entry)
+ {
+ return enumerator_create_empty();
+ }
+ return enumerator_create_cleaner(
+ entry->addrs->create_enumerator(entry->addrs),
+ (void*)destroy_entry, entry);
+}
+
METHOD(eap_radius_provider_t, destroy, void,
private_eap_radius_provider_t *this)
{
@@ -523,6 +544,7 @@ eap_radius_provider_t *eap_radius_provider_create()
},
.add_framed_ip = _add_framed_ip,
.add_attribute = _add_attribute,
+ .clear_unclaimed = _clear_unclaimed,
.destroy = _destroy,
},
.listener = {
@@ -539,6 +561,14 @@ eap_radius_provider_t *eap_radius_provider_create()
},
);
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.eap-radius.accounting", FALSE, lib->ns))
+ {
+ /* if RADIUS accounting is enabled, keep unclaimed IPs around until
+ * the Accounting-Stop message is sent */
+ this->listener.public.message = NULL;
+ }
+
charon->bus->add_listener(charon->bus, &this->listener.public);
singleton = &this->public;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
index 80971bddb..9f1121ca3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2013 Martin Willi
* Copyright (C) 2013 revosec AG
*
@@ -56,6 +59,14 @@ struct eap_radius_provider_t {
configuration_attribute_type_t type, chunk_t data);
/**
+ * Clears any unclaimed IP addresses and attributes for the given IKE_SA.
+ *
+ * @param id IKE_SA unique identifier
+ * @return enumerator over unclaimed IP addresses, if any
+ */
+ enumerator_t *(*clear_unclaimed)(eap_radius_provider_t *this, uint32_t id);
+
+ /**
* Destroy a eap_radius_provider_t.
*/
void (*destroy)(eap_radius_provider_t *this);
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index 34d6efc48..2553fd014 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -159,13 +159,13 @@ static pool_t* get_pool(private_ha_attribute_t *this, char *name)
}
/**
- * Check if we are responsible for a bit in our bitmask
+ * Check if we are responsible for an offset
*/
-static bool responsible_for(private_ha_attribute_t *this, int bit)
+static bool responsible_for(private_ha_attribute_t *this, int offset)
{
u_int segment;
- segment = this->kernel->get_segment_int(this->kernel, bit);
+ segment = offset % this->segments->count(this->segments) + 1;
return this->segments->is_active(this->segments, segment);
}
@@ -175,7 +175,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
{
enumerator_t *enumerator;
pool_t *pool = NULL;
- int offset = -1, byte, bit;
+ int offset = -1, tmp_offset, byte, bit;
host_t *address;
char *name;
@@ -199,10 +199,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
{
for (bit = 0; bit < 8; bit++)
{
+ tmp_offset = byte * 8 + bit;
if (!(pool->mask[byte] & 1 << bit) &&
- responsible_for(this, bit))
+ responsible_for(this, tmp_offset))
{
- offset = byte * 8 + bit;
+ offset = tmp_offset;
pool->mask[byte] |= 1 << bit;
break;
}
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 4e3803892..ab845317f 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
host_t *other = NULL;
bool ok = FALSE;
+ auth_method_t method = AUTH_RSA;
enumerator = message->create_attribute_enumerator(message);
while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
case HA_ALG_DH:
dh_grp = value.u16;
break;
+ case HA_AUTH_METHOD:
+ method = value.u16;
default:
break;
}
@@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
{
keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
shared_key_t *shared = NULL;
- auth_method_t method = AUTH_RSA;
if (psk.len)
{
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 2854ab76d..aae402d50 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
METHOD(listener_t, ike_keys, bool,
private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
- shared_key_t *shared)
+ shared_key_t *shared, auth_method_t method)
{
ha_message_t *m;
chunk_t secret;
@@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool,
{
m->add_attribute(m, HA_PSK, shared->get_key(shared));
}
+ else
+ {
+ m->add_attribute(m, HA_AUTH_METHOD, method);
+ }
}
m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 7891b1654..28b7b0d5b 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void,
case HA_OUTBOUND_CPI:
case HA_SEGMENT:
case HA_ESN:
+ case HA_AUTH_METHOD:
{
uint16_t val;
@@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
case HA_OUTBOUND_CPI:
case HA_SEGMENT:
case HA_ESN:
+ case HA_AUTH_METHOD:
{
if (this->buf.len < sizeof(uint16_t))
{
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 3e43dc8dc..3c0058d99 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -156,6 +156,8 @@ enum ha_message_attribute_t {
HA_PSK,
/** chunk_t, IV for next IKEv1 message */
HA_IV,
+ /** uint16_t, auth_method_t for IKEv1 key derivation */
+ HA_AUTH_METHOD,
};
/**
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index 0a407f9ef..153534915 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -433,6 +433,12 @@ METHOD(ha_segments_t, is_active, bool,
return (this->active & SEGMENTS_BIT(segment)) != 0;
}
+METHOD(ha_segments_t, count, u_int,
+ private_ha_segments_t *this)
+{
+ return this->count;
+}
+
METHOD(ha_segments_t, destroy, void,
private_ha_segments_t *this)
{
@@ -459,6 +465,7 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
.deactivate = _deactivate,
.handle_status = _handle_status,
.is_active = _is_active,
+ .count = _count,
.destroy = _destroy,
},
.socket = socket,
diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h
index 10d5812c6..bc96a8d3e 100644
--- a/src/libcharon/plugins/ha/ha_segments.h
+++ b/src/libcharon/plugins/ha/ha_segments.h
@@ -83,6 +83,13 @@ struct ha_segments_t {
bool (*is_active)(ha_segments_t *this, u_int segment);
/**
+ * Return the number of segments
+ *
+ * @return number of segments
+ */
+ u_int (*count)(ha_segments_t *this);
+
+ /**
* Destroy a ha_segments_t.
*/
void (*destroy)(ha_segments_t *this);
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 1292e0895..40fff7e05 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2257,6 +2257,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
uint32_t replay_esn_len = 0;
kernel_ipsec_del_sa_t del = { 0 };
status_t status = FAILED;
+ traffic_selector_t *ts;
char markstr[32] = "";
/* if IPComp is used, we first update the IPComp SA */
@@ -2360,10 +2361,26 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
if (!id->src->ip_equals(id->src, data->new_src))
{
host2xfrm(data->new_src, &sa->saddr);
+
+ ts = selector2ts(&sa->sel, TRUE);
+ if (ts && ts->is_host(ts, id->src))
+ {
+ ts->set_address(ts, data->new_src);
+ ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
+ }
+ DESTROY_IF(ts);
}
if (!id->dst->ip_equals(id->dst, data->new_dst))
{
host2xfrm(data->new_dst, &sa->id.daddr);
+
+ ts = selector2ts(&sa->sel, FALSE);
+ if (ts && ts->is_host(ts, id->dst))
+ {
+ ts->set_address(ts, data->new_dst);
+ ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
+ }
+ DESTROY_IF(ts);
}
rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index dbe409a62..37170a310 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -1287,20 +1287,27 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
return;
}
- index = response.x_policy->sadb_x_policy_id;
- this->mutex->lock(this->mutex);
- if (this->policies->find_first(this->policies, policy_entry_match_byindex,
- (void**)&policy, index) &&
- policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
+ if (response.x_sa2)
{
- reqid = sa->sa->cfg.reqid;
+ reqid = response.x_sa2->sadb_x_sa2_reqid;
}
else
{
- DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
- "matching policy found", index);
+ index = response.x_policy->sadb_x_policy_id;
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies, policy_entry_match_byindex,
+ (void**)&policy, index) &&
+ policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
+ {
+ reqid = sa->sa->cfg.reqid;
+ }
+ else
+ {
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
+ "matching policy found", index);
+ }
+ this->mutex->unlock(this->mutex);
}
- this->mutex->unlock(this->mutex);
src_ts = sadb_address2ts(response.src);
dst_ts = sadb_address2ts(response.dst);
diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h
index d69597881..964752f53 100644
--- a/src/libcharon/plugins/vici/libvici.h
+++ b/src/libcharon/plugins/vici/libvici.h
@@ -86,6 +86,10 @@
#include <stdio.h>
+#ifdef __cplusplus
+extern "C" {
+#endif
+
/**
* Opaque vici connection contex.
*/
@@ -465,4 +469,8 @@ void vici_init();
*/
void vici_deinit();
+#ifdef __cplusplus
+}
+#endif
+
#endif /** LIBVICI_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 10c62dc89..ace7a4528 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -733,7 +733,7 @@ CALLBACK(parse_ts, bool,
if (host_create_from_range(buf, &lower, &upper))
{
type = (lower->get_family(lower) == AF_INET) ?
- TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+ TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
ts = traffic_selector_create_from_bytes(proto, type,
lower->get_address(lower), from,
upper->get_address(upper), to);
@@ -2494,7 +2494,10 @@ CALLBACK(config_sn, bool,
if (peer.mediated_by)
{
cfg.mediated_by = peer.mediated_by;
- cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+ if (peer.peer_id)
+ {
+ cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+ }
}
#endif /* ME */
peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index 998af0d3f..e2a7f6b20 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -53,6 +53,36 @@ METHOD(job_t, destroy, void,
free(this);
}
+METHOD(adopt_children_job_t, queue_task, void,
+ private_adopt_children_job_t *this, task_t *task)
+{
+ array_insert_create(&this->tasks, ARRAY_TAIL, task);
+}
+
+/**
+ * Adopt child-creating tasks from the given IKE_SA
+ */
+static u_int adopt_child_tasks(private_adopt_children_job_t *this,
+ ike_sa_t *ike_sa, task_queue_t queue)
+{
+ enumerator_t *tasks;
+ task_t *task;
+ u_int count = 0;
+
+ tasks = ike_sa->create_task_enumerator(ike_sa, queue);
+ while (tasks->enumerate(tasks, &task))
+ {
+ if (task->get_type(task) == TASK_QUICK_MODE)
+ {
+ ike_sa->remove_task(ike_sa, tasks);
+ queue_task(this, task);
+ count++;
+ }
+ }
+ tasks->destroy(tasks);
+ return count;
+}
+
METHOD(job_t, execute, job_requeue_t,
private_adopt_children_job_t *this)
{
@@ -65,6 +95,7 @@ METHOD(job_t, execute, job_requeue_t,
ike_sa_t *ike_sa;
child_sa_t *child_sa;
uint32_t unique;
+ u_int tasks = 0;
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
if (ike_sa)
@@ -127,11 +158,17 @@ METHOD(job_t, execute, job_requeue_t,
* it does trigger an assign_vips(FALSE) event, so we also
* trigger one below */
ike_sa->clear_virtual_ips(ike_sa, FALSE);
- if (children->get_count(children) || vips->get_count(vips))
+
+ tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_ACTIVE);
+ tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_QUEUED);
+
+ if (children->get_count(children) || tasks ||
+ vips->get_count(vips))
{
DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
- "adopting %d children and %d virtual IPs",
- children->get_count(children), vips->get_count(vips));
+ "adopting %d children, %d child tasks, and %d "
+ "virtual IPs", children->get_count(children),
+ tasks, vips->get_count(vips));
}
if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
{
@@ -152,7 +189,8 @@ METHOD(job_t, execute, job_requeue_t,
charon->ike_sa_manager->checkin(
charon->ike_sa_manager, ike_sa);
}
- if (children->get_count(children) || vips->get_count(vips))
+ if (children->get_count(children) || tasks ||
+ vips->get_count(vips))
{
break;
}
@@ -237,12 +275,6 @@ METHOD(job_t, get_priority, job_priority_t,
return JOB_PRIO_HIGH;
}
-METHOD(adopt_children_job_t, queue_task, void,
- private_adopt_children_job_t *this, task_t *task)
-{
- array_insert_create(&this->tasks, ARRAY_TAIL, task);
-}
-
/**
* See header
*/
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index c33398bee..bdc96a4bc 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -978,7 +978,7 @@ static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa,
}
/**
- * Install inbound policie(s): in, fwd
+ * Install inbound policies: in, fwd
*/
static status_t install_policies_inbound(private_child_sa_t *this,
host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
@@ -1012,7 +1012,7 @@ static status_t install_policies_inbound(private_child_sa_t *this,
}
/**
- * Install outbound policie(s): out, [fwd]
+ * Install outbound policies: out, [fwd]
*/
static status_t install_policies_outbound(private_child_sa_t *this,
host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a4ad866d3..3d576a0e8 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1996,8 +1996,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
/* adopt any active or queued CHILD-creating tasks */
if (status != DESTROY_ME)
{
- task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
- other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+ new->adopt_child_tasks(new, &this->public);
if (new->get_state(new) == IKE_CREATED)
{
status = new->initiate(new, NULL, 0, NULL, NULL);
@@ -2404,7 +2403,9 @@ METHOD(ike_sa_t, retransmit, status_t,
}
case IKE_DELETING:
DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
- if (has_condition(this, COND_REAUTHENTICATING))
+ if (has_condition(this, COND_REAUTHENTICATING) &&
+ !lib->settings->get_bool(lib->settings,
+ "%s.make_before_break", FALSE, lib->ns))
{
DBG1(DBG_IKE, "delete during reauthentication failed, "
"trying to reestablish IKE_SA anyway");
@@ -2719,6 +2720,12 @@ METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
return this->task_manager->create_task_enumerator(this->task_manager, queue);
}
+METHOD(ike_sa_t, remove_task, void,
+ private_ike_sa_t *this, enumerator_t *enumerator)
+{
+ return this->task_manager->remove_task(this->task_manager, enumerator);
+}
+
METHOD(ike_sa_t, flush_queue, void,
private_ike_sa_t *this, task_queue_t queue)
{
@@ -2737,6 +2744,36 @@ METHOD(ike_sa_t, queue_task_delayed, void,
this->task_manager->queue_task_delayed(this->task_manager, task, delay);
}
+/**
+ * Migrate and queue child-creating tasks from another IKE_SA
+ */
+static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
+ task_queue_t queue)
+{
+ enumerator_t *enumerator;
+ task_t *task;
+
+ enumerator = other->create_task_enumerator(other, queue);
+ while (enumerator->enumerate(enumerator, &task))
+ {
+ if (task->get_type(task) == TASK_CHILD_CREATE ||
+ task->get_type(task) == TASK_QUICK_MODE)
+ {
+ other->remove_task(other, enumerator);
+ task->migrate(task, &this->public);
+ queue_task(this, task);
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(ike_sa_t, adopt_child_tasks, void,
+ private_ike_sa_t *this, ike_sa_t *other)
+{
+ migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
+ migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
+}
+
METHOD(ike_sa_t, inherit_pre, void,
private_ike_sa_t *this, ike_sa_t *other_public)
{
@@ -3052,9 +3089,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
.create_attribute_enumerator = _create_attribute_enumerator,
.set_kmaddress = _set_kmaddress,
.create_task_enumerator = _create_task_enumerator,
+ .remove_task = _remove_task,
.flush_queue = _flush_queue,
.queue_task = _queue_task,
.queue_task_delayed = _queue_task_delayed,
+ .adopt_child_tasks = _adopt_child_tasks,
#ifdef ME
.act_as_mediation_server = _act_as_mediation_server,
.get_server_reflexive_host = _get_server_reflexive_host,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c1d3e1d7a..be480eac8 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1125,6 +1125,16 @@ struct ike_sa_t {
enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
/**
+ * Remove the task the given enumerator points to.
+ *
+ * @note This should be used with caution, in partciular, for tasks in the
+ * active and passive queues.
+ *
+ * @param enumerator enumerator created with the method above
+ */
+ void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
+
+ /**
* Flush a task queue, cancelling all tasks in it.
*
* @param queue queue type to flush
@@ -1148,6 +1158,13 @@ struct ike_sa_t {
void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
/**
+ * Adopt child creating tasks from the given IKE_SA.
+ *
+ * @param other other IKE_SA to adopt tasks from
+ */
+ void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
+
+ /**
* Inherit required attributes to new SA before rekeying.
*
* Some properties of the SA must be applied before starting IKE_SA
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c50c70860..3bac4b109 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1967,6 +1967,8 @@ static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new)
}
enumerator->destroy(enumerator);
+ new->adopt_child_tasks(new, old);
+
enumerator = old->create_virtual_ip_enumerator(old, FALSE);
while (enumerator->enumerate(enumerator, &vip))
{
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index b99d75142..ac2899f11 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool,
return FALSE;
}
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
- this->nonce_i, this->nonce_r, NULL, shared_key);
+ this->nonce_i, this->nonce_r, NULL, shared_key,
+ method);
DESTROY_IF(shared_key);
return TRUE;
}
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 5f6c3bbe8..f76471e78 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2018 Tobias Brunner
* Copyright (C) 2007-2011 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -544,20 +544,20 @@ METHOD(task_manager_t, initiate, status_t,
new_mid = TRUE;
break;
}
- if (!mode_config_expected(this) &&
- activate_task(this, TASK_QUICK_MODE))
+ if (activate_task(this, TASK_ISAKMP_DPD))
{
- exchange = QUICK_MODE;
+ exchange = INFORMATIONAL_V1;
new_mid = TRUE;
break;
}
- if (activate_task(this, TASK_INFORMATIONAL))
+ if (!mode_config_expected(this) &&
+ activate_task(this, TASK_QUICK_MODE))
{
- exchange = INFORMATIONAL_V1;
+ exchange = QUICK_MODE;
new_mid = TRUE;
break;
}
- if (activate_task(this, TASK_ISAKMP_DPD))
+ if (activate_task(this, TASK_INFORMATIONAL))
{
exchange = INFORMATIONAL_V1;
new_mid = TRUE;
@@ -1121,7 +1121,15 @@ static status_t process_request(private_task_manager_t *this,
}
}
else
- { /* We don't send a response, so don't retransmit one if we get
+ {
+ if (this->responding.retransmitted > 1)
+ {
+ packet_t *packet = NULL;
+ array_get(this->responding.packets, 0, &packet);
+ charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED,
+ packet);
+ }
+ /* We don't send a response, so don't retransmit one if we get
* the same message again. */
clear_packets(this->responding.packets);
}
@@ -1883,39 +1891,6 @@ METHOD(task_manager_t, adopt_tasks, void,
}
}
-/**
- * Migrates child-creating tasks from src to dst
- */
-static void migrate_child_tasks(private_task_manager_t *this,
- linked_list_t *src, linked_list_t *dst)
-{
- enumerator_t *enumerator;
- task_t *task;
-
- enumerator = src->create_enumerator(src);
- while (enumerator->enumerate(enumerator, &task))
- {
- if (task->get_type(task) == TASK_QUICK_MODE)
- {
- src->remove_at(src, enumerator);
- task->migrate(task, this->ike_sa);
- dst->insert_last(dst, task);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-METHOD(task_manager_t, adopt_child_tasks, void,
- private_task_manager_t *this, task_manager_t *other_public)
-{
- private_task_manager_t *other = (private_task_manager_t*)other_public;
-
- /* move active child tasks from other to this */
- migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
- /* do the same for queued tasks */
- migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
-}
-
METHOD(task_manager_t, busy, bool,
private_task_manager_t *this)
{
@@ -1976,19 +1951,86 @@ METHOD(task_manager_t, reset, void,
}
}
+/**
+ * Data for a task queue enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ task_queue_t queue;
+ enumerator_t *inner;
+} task_enumerator_t;
+
+METHOD(enumerator_t, task_enumerator_destroy, void,
+ task_enumerator_t *this)
+{
+ this->inner->destroy(this->inner);
+ free(this);
+}
+
+METHOD(enumerator_t, task_enumerator_enumerate, bool,
+ task_enumerator_t *this, va_list args)
+{
+ task_t **task;
+
+ VA_ARGS_VGET(args, task);
+ return this->inner->enumerate(this->inner, task);
+}
+
METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
private_task_manager_t *this, task_queue_t queue)
{
+ task_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = enumerator_enumerate_default,
+ .venumerate = _task_enumerator_enumerate,
+ .destroy = _task_enumerator_destroy,
+ },
+ .queue = queue,
+ );
switch (queue)
{
case TASK_QUEUE_ACTIVE:
- return this->active_tasks->create_enumerator(this->active_tasks);
+ enumerator->inner = this->active_tasks->create_enumerator(
+ this->active_tasks);
+ break;
+ case TASK_QUEUE_PASSIVE:
+ enumerator->inner = this->passive_tasks->create_enumerator(
+ this->passive_tasks);
+ break;
+ case TASK_QUEUE_QUEUED:
+ enumerator->inner = this->queued_tasks->create_enumerator(
+ this->queued_tasks);
+ break;
+ default:
+ enumerator->inner = enumerator_create_empty();
+ break;
+ }
+ return &enumerator->public;
+}
+
+METHOD(task_manager_t, remove_task, void,
+ private_task_manager_t *this, enumerator_t *enumerator_public)
+{
+ task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
+
+ switch (enumerator->queue)
+ {
+ case TASK_QUEUE_ACTIVE:
+ this->active_tasks->remove_at(this->active_tasks,
+ enumerator->inner);
+ break;
case TASK_QUEUE_PASSIVE:
- return this->passive_tasks->create_enumerator(this->passive_tasks);
+ this->passive_tasks->remove_at(this->passive_tasks,
+ enumerator->inner);
+ break;
case TASK_QUEUE_QUEUED:
- return this->queued_tasks->create_enumerator(this->queued_tasks);
+ this->queued_tasks->remove_at(this->queued_tasks,
+ enumerator->inner);
+ break;
default:
- return enumerator_create_empty();
+ break;
}
}
@@ -2039,9 +2081,9 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
.get_mid = _get_mid,
.reset = _reset,
.adopt_tasks = _adopt_tasks,
- .adopt_child_tasks = _adopt_child_tasks,
.busy = _busy,
.create_task_enumerator = _create_task_enumerator,
+ .remove_task = _remove_task,
.flush = _flush,
.flush_queue = _flush_queue,
.destroy = _destroy,
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
index 7dbbdc92f..b652d926f 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
@@ -287,7 +287,6 @@ METHOD(task_t, process_i, status_t,
default:
return FAILED;
}
- break;
}
case AGGRESSIVE:
{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index 58f856e3f..566bfe83a 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -605,7 +605,6 @@ METHOD(task_t, process_i, status_t,
default:
return FAILED;
}
- break;
}
case AGGRESSIVE:
{
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 007e94d96..b0a42b8bd 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1110,14 +1110,17 @@ METHOD(task_t, process_r, status_t,
this->tsi = select_ts(this, FALSE, tsi);
this->tsr = select_ts(this, TRUE, tsr);
}
- tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
- tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
if (!this->config || !this->tsi || !this->tsr ||
this->mode != this->config->get_mode(this->config))
{
- DBG1(DBG_IKE, "no matching CHILD_SA config found");
+ DBG1(DBG_IKE, "no matching CHILD_SA config found for "
+ "%#R === %#R", tsi, tsr);
+ tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+ tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
return send_notify(this, INVALID_ID_INFORMATION);
}
+ tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+ tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
if (this->config->has_option(this->config, OPT_IPCOMP))
{
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 1fcef03cc..97d33a89e 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -111,6 +111,40 @@ static bool build_signature_auth_data(chunk_t *auth_data,
}
/**
+ * Check if the given scheme is supported by the key and, if so, add it to the
+ * first array (we add the scheme supported by the key in case the parameters
+ * are different)
+ */
+static void add_scheme_if_supported(array_t *selected, array_t *supported,
+ signature_params_t *config)
+{
+ signature_params_t *sup;
+ int i;
+
+ if (!supported)
+ {
+ array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
+ return;
+ }
+
+ for (i = 0; i < array_count(supported); i++)
+ {
+ array_get(supported, i, &sup);
+ if (signature_params_comply(sup, config))
+ {
+ array_insert(selected, ARRAY_TAIL, signature_params_clone(sup));
+ return;
+ }
+ }
+}
+
+CALLBACK(destroy_scheme, void,
+ signature_params_t *params, int idx, void *user)
+{
+ signature_params_destroy(params);
+}
+
+/**
* Selects possible signature schemes based on our configuration, the other
* peer's capabilities and the private key
*/
@@ -123,10 +157,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
auth_rule_t rule;
key_type_t key_type;
bool have_config = FALSE;
- array_t *selected;
+ array_t *supported = NULL, *selected;
selected = array_create(0, 0);
key_type = private->get_type(private);
+
+ if (private->supported_signature_schemes)
+ {
+ enumerator = private->supported_signature_schemes(private);
+ while (enumerator->enumerate(enumerator, &config))
+ {
+ if (keymat->hash_algorithm_supported(keymat,
+ hasher_from_signature_scheme(config->scheme,
+ config->params)))
+ {
+ array_insert_create(&supported, ARRAY_TAIL,
+ signature_params_clone(config));
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!supported)
+ {
+ return selected;
+ }
+ }
+
enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &rule, &config))
{
@@ -134,21 +190,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
{
continue;
}
- have_config = TRUE;
if (key_type == key_type_from_signature_scheme(config->scheme) &&
keymat->hash_algorithm_supported(keymat,
hasher_from_signature_scheme(config->scheme,
config->params)))
{
- array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
+ add_scheme_if_supported(selected, supported, config);
}
+ have_config = TRUE;
}
enumerator->destroy(enumerator);
- if (!have_config)
+ if (have_config)
{
- /* if no specific configuration, find schemes appropriate for the key
- * and supported by the other peer */
+ array_destroy_function(supported, destroy_scheme, NULL);
+ }
+ else
+ {
+ /* if we have no config, return either whatever schemes the key (and
+ * peer) support or.. */
+ if (supported)
+ {
+ array_destroy(selected);
+ return supported;
+ }
+
+ /* ...find schemes appropriate for the key and supported by the peer */
enumerator = signature_schemes_for_key(key_type,
private->get_keysize(private));
while (enumerator->enumerate(enumerator, &config))
@@ -207,12 +274,6 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
return selected;
}
-CALLBACK(destroy_scheme, void,
- signature_params_t *params, int idx, void *user)
-{
- signature_params_destroy(params);
-}
-
/**
* Adds the given auth data to the message, either in an AUTH payload or
* a NO_PPK_AUTH notify.
@@ -310,9 +371,9 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
if (params->scheme == SIGN_RSA_EMSA_PSS)
{
rsa_pss_params_t *pss = params->params;
- DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id,
- signature_scheme_names, params->scheme,
- hash_algorithm_short_names_upper, pss->hash,
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N_SALT_%zd "
+ "%s", id, signature_scheme_names, params->scheme,
+ hash_algorithm_short_names_upper, pss->hash, pss->salt_len,
status == SUCCESS ? "successful" : "failed");
}
else
@@ -586,9 +647,9 @@ METHOD(authenticator_t, process, status_t,
else if (params->scheme == SIGN_RSA_EMSA_PSS)
{
rsa_pss_params_t *pss = params->params;
- DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful",
- id, signature_scheme_names, params->scheme,
- hash_algorithm_short_names_upper, pss->hash);
+ DBG1(DBG_IKE, "authentication of '%Y' with %N_%N_SALT_%zd "
+ "successful", id, signature_scheme_names, params->scheme,
+ hash_algorithm_short_names_upper, pss->hash, pss->salt_len);
}
else
{
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 910c77a2d..e9142d79b 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1459,6 +1459,59 @@ static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
}
/**
+ * Check whether we should reject the given request message
+ */
+static inline bool reject_request(private_task_manager_t *this,
+ message_t *msg)
+{
+ ike_sa_state_t state;
+ exchange_type_t type;
+ ike_sa_id_t *ike_sa_id;
+ bool reject = FALSE;
+
+ state = this->ike_sa->get_state(this->ike_sa);
+ type = msg->get_exchange_type(msg);
+
+ /* reject initial messages if not received in specific states */
+ switch (type)
+ {
+ case IKE_SA_INIT:
+ reject = state != IKE_CREATED;
+ break;
+ case IKE_AUTH:
+ reject = state != IKE_CONNECTING;
+ break;
+ default:
+ break;
+ }
+
+ if (!reject)
+ {
+ switch (state)
+ {
+ /* after rekeying we only expect a DELETE in an INFORMATIONAL */
+ case IKE_REKEYED:
+ reject = type != INFORMATIONAL;
+ break;
+ /* also reject requests for half-open IKE_SAs as initiator */
+ case IKE_CREATED:
+ case IKE_CONNECTING:
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+ reject = ike_sa_id->is_initiator(ike_sa_id);
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (reject)
+ {
+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names,
+ type, ike_sa_state_names, state);
+ }
+ return reject;
+}
+/**
* Check if a message with message ID 0 looks like it is used to synchronize
* the message IDs and we are prepared to process it.
*
@@ -1483,8 +1536,6 @@ METHOD(task_manager_t, process_message, status_t,
status_t status;
uint32_t mid;
bool schedule_delete_job = FALSE;
- ike_sa_state_t state;
- exchange_type_t type;
charon->bus->message(charon->bus, msg, TRUE, FALSE);
status = parse_message(this, msg);
@@ -1517,24 +1568,14 @@ METHOD(task_manager_t, process_message, status_t,
/* add a timeout if peer does not establish it completely */
schedule_delete_job = TRUE;
}
- this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
- time_monotonic(NULL));
mid = msg->get_message_id(msg);
if (msg->get_request(msg))
{
if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
{
- /* reject initial messages if not received in specific states,
- * after rekeying we only expect a DELETE in an INFORMATIONAL */
- type = msg->get_exchange_type(msg);
- state = this->ike_sa->get_state(this->ike_sa);
- if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
- (type == IKE_AUTH && state != IKE_CONNECTING) ||
- (state == IKE_REKEYED && type != INFORMATIONAL))
+ if (reject_request(this, msg))
{
- DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
- exchange_type_names, type, ike_sa_state_names, state);
return FAILED;
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
@@ -1544,6 +1585,11 @@ METHOD(task_manager_t, process_message, status_t,
status = handle_fragment(this, &this->responding.defrag, msg);
if (status != SUCCESS)
{
+ if (status == NEED_MORE)
+ {
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
+ }
return status;
}
charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -1554,6 +1600,8 @@ METHOD(task_manager_t, process_message, status_t,
switch (process_request(this, msg))
{
case SUCCESS:
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
this->responding.mid++;
break;
case NEED_MORE:
@@ -1570,10 +1618,17 @@ METHOD(task_manager_t, process_message, status_t,
status = handle_fragment(this, &this->responding.defrag, msg);
if (status != SUCCESS)
{
+ if (status == NEED_MORE)
+ {
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
+ }
return status;
}
DBG1(DBG_IKE, "received retransmit of request with ID %d, "
"retransmitting response", mid);
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
send_packets(this, this->responding.packets,
msg->get_destination(msg), msg->get_source(msg));
@@ -1603,6 +1658,11 @@ METHOD(task_manager_t, process_message, status_t,
status = handle_fragment(this, &this->initiating.defrag, msg);
if (status != SUCCESS)
{
+ if (status == NEED_MORE)
+ {
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
+ }
return status;
}
charon->bus->message(charon->bus, msg, TRUE, TRUE);
@@ -1615,6 +1675,8 @@ METHOD(task_manager_t, process_message, status_t,
flush(this);
return DESTROY_ME;
}
+ this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+ time_monotonic(NULL));
}
else
{
@@ -2014,61 +2076,6 @@ METHOD(task_manager_t, adopt_tasks, void,
}
}
-/**
- * Migrates child-creating tasks from other to this
- */
-static void migrate_child_tasks(private_task_manager_t *this,
- private_task_manager_t *other,
- task_queue_t queue)
-{
- enumerator_t *enumerator;
- array_t *array;
- task_t *task;
-
- switch (queue)
- {
- case TASK_QUEUE_ACTIVE:
- array = other->active_tasks;
- break;
- case TASK_QUEUE_QUEUED:
- array = other->queued_tasks;
- break;
- default:
- return;
- }
-
- enumerator = array_create_enumerator(array);
- while (enumerator->enumerate(enumerator, &task))
- {
- queued_task_t *queued = NULL;
-
- if (queue == TASK_QUEUE_QUEUED)
- {
- queued = (queued_task_t*)task;
- task = queued->task;
- }
- if (task->get_type(task) == TASK_CHILD_CREATE)
- {
- array_remove_at(array, enumerator);
- task->migrate(task, this->ike_sa);
- queue_task(this, task);
- free(queued);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-METHOD(task_manager_t, adopt_child_tasks, void,
- private_task_manager_t *this, task_manager_t *other_public)
-{
- private_task_manager_t *other = (private_task_manager_t*)other_public;
-
- /* move active child tasks from other to this */
- migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
- /* do the same for queued tasks */
- migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
-}
-
METHOD(task_manager_t, busy, bool,
private_task_manager_t *this)
{
@@ -2124,17 +2131,39 @@ METHOD(task_manager_t, reset, void,
this->reset = TRUE;
}
-CALLBACK(filter_queued, bool,
- void *unused, enumerator_t *orig, va_list args)
-{
+/**
+ * Data for a task queue enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ task_queue_t queue;
+ enumerator_t *inner;
queued_task_t *queued;
+} task_enumerator_t;
+
+METHOD(enumerator_t, task_enumerator_destroy, void,
+ task_enumerator_t *this)
+{
+ this->inner->destroy(this->inner);
+ free(this);
+}
+
+METHOD(enumerator_t, task_enumerator_enumerate, bool,
+ task_enumerator_t *this, va_list args)
+{
task_t **task;
VA_ARGS_VGET(args, task);
-
- if (orig->enumerate(orig, &queued))
+ if (this->queue == TASK_QUEUE_QUEUED)
+ {
+ if (this->inner->enumerate(this->inner, &this->queued))
+ {
+ *task = this->queued->task;
+ return TRUE;
+ }
+ }
+ else if (this->inner->enumerate(this->inner, task))
{
- *task = queued->task;
return TRUE;
}
return FALSE;
@@ -2143,18 +2172,54 @@ CALLBACK(filter_queued, bool,
METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
private_task_manager_t *this, task_queue_t queue)
{
+ task_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = enumerator_enumerate_default,
+ .venumerate = _task_enumerator_enumerate,
+ .destroy = _task_enumerator_destroy,
+ },
+ .queue = queue,
+ );
switch (queue)
{
case TASK_QUEUE_ACTIVE:
- return array_create_enumerator(this->active_tasks);
+ enumerator->inner = array_create_enumerator(this->active_tasks);
+ break;
case TASK_QUEUE_PASSIVE:
- return array_create_enumerator(this->passive_tasks);
+ enumerator->inner = array_create_enumerator(this->passive_tasks);
+ break;
case TASK_QUEUE_QUEUED:
- return enumerator_create_filter(
- array_create_enumerator(this->queued_tasks),
- filter_queued, NULL, NULL);
+ enumerator->inner = array_create_enumerator(this->queued_tasks);
+ break;
default:
- return enumerator_create_empty();
+ enumerator->inner = enumerator_create_empty();
+ break;
+ }
+ return &enumerator->public;
+}
+
+METHOD(task_manager_t, remove_task, void,
+ private_task_manager_t *this, enumerator_t *enumerator_public)
+{
+ task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
+
+ switch (enumerator->queue)
+ {
+ case TASK_QUEUE_ACTIVE:
+ array_remove_at(this->active_tasks, enumerator->inner);
+ break;
+ case TASK_QUEUE_PASSIVE:
+ array_remove_at(this->passive_tasks, enumerator->inner);
+ break;
+ case TASK_QUEUE_QUEUED:
+ array_remove_at(this->queued_tasks, enumerator->inner);
+ free(enumerator->queued);
+ enumerator->queued = NULL;
+ break;
+ default:
+ break;
}
}
@@ -2204,9 +2269,9 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
.get_mid = _get_mid,
.reset = _reset,
.adopt_tasks = _adopt_tasks,
- .adopt_child_tasks = _adopt_child_tasks,
.busy = _busy,
.create_task_enumerator = _create_task_enumerator,
+ .remove_task = _remove_task,
.flush = _flush,
.flush_queue = _flush_queue,
.destroy = _destroy,
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 6c8b29018..0e3711898 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -174,6 +174,11 @@ static void install_outbound(private_child_delete_t *this,
linked_list_t *my_ts, *other_ts;
status_t status;
+ if (!spi)
+ {
+ return;
+ }
+
child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
spi, FALSE);
if (!child_sa)
@@ -312,7 +317,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
child_sa_t *child_sa;
child_cfg_t *child_cfg;
protocol_id_t protocol;
- uint32_t spi, reqid, rekey_spi;
+ uint32_t spi, reqid;
action_t action;
status_t status = SUCCESS;
time_t now, expire;
@@ -335,11 +340,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
}
else
{
- rekey_spi = child_sa->get_rekey_spi(child_sa);
- if (rekey_spi)
- {
- install_outbound(this, protocol, rekey_spi);
- }
+ install_outbound(this, protocol, child_sa->get_rekey_spi(child_sa));
/* for rekeyed CHILD_SAs we uninstall the outbound SA but don't
* immediately destroy it, by default, so we can process delayed
* packets */
@@ -459,6 +460,17 @@ METHOD(task_t, build_i, status_t,
this->spi = child_sa->get_spi(child_sa, TRUE);
}
+ if (this->expired && child_sa->get_state(child_sa) == CHILD_REKEYED)
+ { /* the peer was expected to delete this SA, but if we send a DELETE
+ * we might cause a collision there if the CREATE_CHILD_SA response
+ * is delayed (the peer wouldn't know if we deleted this SA due to an
+ * expire or because of a forced delete by the user and might then
+ * ignore the CREATE_CHILD_SA response once it arrives) */
+ child_sa->set_state(child_sa, CHILD_DELETED);
+ install_outbound(this, this->protocol,
+ child_sa->get_rekey_spi(child_sa));
+ }
+
if (child_sa->get_state(child_sa) == CHILD_DELETED)
{ /* DELETEs for this CHILD_SA were already exchanged, but it was not yet
* destroyed to allow delayed packets to get processed */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 307d99264..b570904e2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this,
return FALSE;
}
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
- nonce_i, nonce_r, this->old_sa, NULL);
+ nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE);
return TRUE;
}
@@ -890,6 +890,20 @@ METHOD(task_t, pre_process_i, status_t,
switch (type)
{
+ case COOKIE:
+ {
+ chunk_t cookie;
+
+ cookie = notify->get_notification_data(notify);
+ if (chunk_equals(cookie, this->cookie))
+ {
+ DBG1(DBG_IKE, "ignore response with duplicate COOKIE "
+ "notify");
+ enumerator->destroy(enumerator);
+ return FAILED;
+ }
+ break;
+ }
case REDIRECT:
{
identification_t *gateway;
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 9545da4f3..c357d5035 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2016 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -228,13 +228,6 @@ struct task_manager_t {
void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
/**
- * Migrate all active or queued CHILD_SA-creating tasks from other to this.
- *
- * @param other manager which gives away its tasks
- */
- void (*adopt_child_tasks) (task_manager_t *this, task_manager_t *other);
-
- /**
* Increment a message ID counter, in- or outbound.
*
* If a message is processed outside of the manager, this call increments
@@ -285,6 +278,16 @@ struct task_manager_t {
task_queue_t queue);
/**
+ * Remove the task the given enumerator points to.
+ *
+ * @note This should be used with caution, in partciular, for tasks in the
+ * active and passive queues.
+ *
+ * @param enumerator enumerator created with the method above
+ */
+ void (*remove_task)(task_manager_t *this, enumerator_t *enumerator);
+
+ /**
* Flush all tasks, regardless of the queue.
*/
void (*flush)(task_manager_t *this);
diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c
index 51d577cd8..b9f6ea0bc 100644
--- a/src/libcharon/tests/suites/test_child_rekey.c
+++ b/src/libcharon/tests/suites/test_child_rekey.c
@@ -370,8 +370,8 @@ END_TEST
/**
* Check that the responder handles hard expires properly while waiting for the
- * delete after a rekeying (e.g. if the initiator of the rekeying fails to
- * delete the CHILD_SA for some reason).
+ * delete after a rekeying (e.g. if the rekey settings are tight or the
+ * CREATE_CHILD_SA response is delayed).
*/
START_TEST(test_regular_responder_handle_hard_expire)
{
@@ -405,28 +405,22 @@ START_TEST(test_regular_responder_handle_hard_expire)
/* we don't expect this to get called anymore */
assert_hook_not_called(child_rekey);
- /* this is similar to a regular delete collision */
- assert_single_payload(OUT, PLV2_DELETE);
+ /* this is similar to a regular delete collision, but we don't actually
+ * want to send a delete back as that might conflict with a delayed
+ * CREATE_CHILD_SA response */
call_ikesa(b, delete_child_sa, PROTO_ESP, 2, TRUE);
- assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
- assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED);
- /* since the SAs expired they would not actually be installed in the kernel
- * anymore and since we have not yet installed a new outbound SA this
- * will result in dropped packets and possibly acquires */
- assert_ipsec_sas_installed(b, 1, 2, 4);
+ assert_child_sa_count(b, 1);
+ assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+ /* the expire causes the outbound SA to get installed */
+ assert_ipsec_sas_installed(b, 3, 4);
/* INFORMATIONAL { D } --> */
+ assert_no_jobs_scheduled();
assert_single_payload(IN, PLV2_DELETE);
exchange_test_helper->process_message(exchange_test_helper, b, NULL);
- assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
- assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED);
- assert_ipsec_sas_installed(b, 1, 2, 4);
- /* <-- INFORMATIONAL { D } */
- assert_single_payload(IN, PLV2_DELETE);
- exchange_test_helper->process_message(exchange_test_helper, a, NULL);
- assert_child_sa_state(a, 1, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
- assert_child_sa_state(a, 3, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
- assert_ipsec_sas_installed(a, 1, 2, 3, 4);
+ assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+ assert_ipsec_sas_installed(b, 3, 4);
+ assert_scheduler();
/* <-- INFORMATIONAL { } */
assert_jobs_scheduled(1);
assert_message_empty(IN);
@@ -436,23 +430,11 @@ START_TEST(test_regular_responder_handle_hard_expire)
assert_child_sa_count(a, 2);
assert_ipsec_sas_installed(a, 1, 3, 4);
assert_scheduler();
- /* INFORMATIONAL { } --> */
- assert_jobs_scheduled(1);
- assert_message_empty(IN);
- exchange_test_helper->process_message(exchange_test_helper, b, NULL);
- assert_child_sa_state(b, 2, CHILD_DELETED, CHILD_OUTBOUND_NONE);
- assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
- assert_child_sa_count(b, 2);
- assert_ipsec_sas_installed(b, 2, 3, 4);
- assert_scheduler();
- /* simulate the execution of the scheduled jobs */
+ /* simulate the execution of the scheduled job */
destroy_rekeyed(a, 1);
assert_child_sa_count(a, 1);
assert_ipsec_sas_installed(a, 3, 4);
- destroy_rekeyed(b, 2);
- assert_child_sa_count(b, 1);
- assert_ipsec_sas_installed(b, 3, 4);
/* child_rekey/child_updown */
assert_hook();
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 5d5283620..3f8b4c957 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -574,6 +574,24 @@ INSERT INTO products ( /* 96 */
'Ubuntu 18.04 x86_64'
);
+INSERT INTO products ( /* 97 */
+ name
+) VALUES (
+ 'Debian 9.5 i686'
+);
+
+INSERT INTO products ( /* 98 */
+ name
+) VALUES (
+ 'Debian 9.5 x86_64'
+);
+
+INSERT INTO products ( /* 99 */
+ name
+) VALUES (
+ 'Debian 9.6 x86_64'
+);
+
/* Directories */
INSERT INTO directories ( /* 1 */
@@ -671,7 +689,7 @@ INSERT INTO files ( /* 1 */
INSERT INTO files ( /* 2 */
name, dir
) VALUES (
- 'libcrypto.so.1.0.0', 11
+ 'libcrypto.so.1.1', 11
);
INSERT INTO files ( /* 3 */
@@ -683,7 +701,7 @@ INSERT INTO files ( /* 3 */
INSERT INTO files ( /* 4 */
name, dir
) VALUES (
- 'libssl.so.1.0.0', 11
+ 'libssl.so.1.1', 11
);
INSERT INTO files ( /* 5 */
@@ -1147,6 +1165,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 4, 97
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
5, 2
);
@@ -1267,6 +1291,18 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 5, 98
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 5, 99
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
6, 9
);
@@ -1665,13 +1701,13 @@ INSERT INTO policies ( /* 11 */
INSERT INTO policies ( /* 12 */
type, name, file, rec_fail, rec_noresult
) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+ 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1', 2, 2, 2
);
INSERT INTO policies ( /* 13 */
type, name, file, rec_fail, rec_noresult
) VALUES (
- 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+ 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.1', 4, 2, 2
);
INSERT INTO policies ( /* 14 */
diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag
index 6ca455dac..77f00e036 100644
--- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag
+++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<SoftwareIdentity
name="strongSwan"
- tagId="strongSwan-5-7-1"
- version="5.7.1" versionScheme="alphanumeric"
+ tagId="strongSwan-5-7-2"
+ version="5.7.2" versionScheme="alphanumeric"
xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd">
<Entity
name="strongSwan Project"
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
index 89ba86930..51bcdc410 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
@@ -249,8 +249,6 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
os_name.len, os_name.ptr);
}
break;
-
- break;
}
case IETF_ATTR_STRING_VERSION:
{
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 265a4a09a..f86f13dcc 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -231,7 +231,6 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
reader->destroy(reader);
return FAILED;
}
- break;
case PT_TLS_SASL_RESULT_MECH_FAILURE:
case PT_TLS_SASL_RESULT_FAILURE:
/* non-fatal failure, try again */
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 278c67405..b04627e63 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -551,6 +551,7 @@ static signature_params_t *create_rsa_pss_constraint(char *token)
.scheme = SIGN_RSA_EMSA_PSS,
.params = &pss,
};
+ rsa_pss_params_set_salt_len(&pss, 0);
params = signature_params_clone(&pss_params);
}
return params;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 0239ee17e..61dfbbcad 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -73,6 +73,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_SAFE_PRIMES",
"BUILD_SHARES",
"BUILD_THRESHOLD",
+ "BUILD_EDDSA_PUB",
"BUILD_EDDSA_PRIV_ASN1_DER",
"BUILD_END",
);
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 7928ef487..b283bd166 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -156,6 +156,8 @@ enum builder_part_t {
BUILD_SHARES,
/** minimum number of participating private key shares */
BUILD_THRESHOLD,
+ /** EdDSA public key blob */
+ BUILD_EDDSA_PUB,
/** DER encoded ASN.1 EdDSA private key */
BUILD_EDDSA_PRIV_ASN1_DER,
/** end of variable argument builder list */
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index d7cfdd74d..5cf8641ad 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -40,6 +40,19 @@ struct private_key_t {
key_type_t (*get_type)(private_key_t *this);
/**
+ * Get signature schemes supported by this key.
+ *
+ * This is useful for keys that only support certain hash algorithms or
+ * require specific parameters for RSA/PSS signatures.
+ *
+ * @note Implementing this method is optional. If multiple schemes are
+ * returned, they should be ordered by decreasing preference.
+ *
+ * @return enumerator over signature_params_t*
+ */
+ enumerator_t *(*supported_signature_schemes)(private_key_t *this);
+
+ /**
* Create a signature over a chunk of data.
*
* @param scheme signature scheme to use
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 89fa9b348..3ef6981f6 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -250,7 +250,7 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
#define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \
.hash = HASH_SHA##bits, \
.mgf1_hash = HASH_SHA##bits, \
- .salt_len = RSA_PSS_SALT_LEN_DEFAULT, \
+ .salt_len = HASH_SIZE_SHA##bits, \
}
PSS_PARAMS(256);
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index 8f42fb940..d89bd2c96 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -18,22 +18,43 @@
#include <asn1/oid.h>
#include <asn1/asn1_parser.h>
-/**
- * Determine the salt length in case it is not configured
+/*
+ * Described in header
*/
-static ssize_t rsa_pss_salt_length(rsa_pss_params_t *pss)
+bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits)
{
- ssize_t salt_len = pss->salt_len;
+ size_t hash_len;
- if (salt_len <= RSA_PSS_SALT_LEN_DEFAULT)
+ if (params->salt_len < 0)
{
- salt_len = hasher_hash_size(pss->hash);
- if (!salt_len)
+ hash_len = hasher_hash_size(params->hash);
+ if (!hash_len)
+ {
+ return FALSE;
+ }
+
+ switch (params->salt_len)
{
- return -1;
+ case RSA_PSS_SALT_LEN_DEFAULT:
+ params->salt_len = hash_len;
+ break;
+ case RSA_PSS_SALT_LEN_MAX:
+ if (modbits)
+ {
+ /* emBits = modBits - 1 */
+ modbits -= 1;
+ /* emLen = ceil(emBits/8) */
+ modbits = (modbits+7) / BITS_PER_BYTE;
+ /* account for 0x01 separator in DB, 0xbc trailing byte */
+ params->salt_len = max(0, (ssize_t)(modbits - hash_len - 2));
+ break;
+ }
+ return FALSE;
+ default:
+ return FALSE;
}
}
- return salt_len;
+ return TRUE;
}
/**
@@ -68,8 +89,7 @@ static bool compare_params(signature_params_t *a, signature_params_t *b,
return pss_a->hash == pss_b->hash &&
pss_a->mgf1_hash == pss_b->mgf1_hash &&
- (!strict ||
- rsa_pss_salt_length(pss_a) == rsa_pss_salt_length(pss_b));
+ (!strict || pss_a->salt_len == pss_b->salt_len);
}
default:
break;
@@ -328,7 +348,6 @@ end:
bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1)
{
chunk_t hash = chunk_empty, mgf = chunk_empty, slen = chunk_empty;
- ssize_t salt_len;
int alg;
if (params->hash != HASH_SHA1)
@@ -351,16 +370,15 @@ bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1)
mgf = asn1_algorithmIdentifier_params(OID_MGF1,
asn1_algorithmIdentifier(alg));
}
- salt_len = rsa_pss_salt_length(params);
- if (salt_len < 0)
+ if (params->salt_len < 0)
{
chunk_free(&hash);
chunk_free(&mgf);
return FALSE;
}
- else if (salt_len != HASH_SIZE_SHA1)
+ else if (params->salt_len != HASH_SIZE_SHA1)
{
- slen = asn1_integer("m", asn1_integer_from_uint64(salt_len));
+ slen = asn1_integer("m", asn1_integer_from_uint64(params->salt_len));
}
*asn1 = asn1_wrap(ASN1_SEQUENCE, "mmm",
hash.len ? asn1_wrap(ASN1_CONTEXT_C_0, "m", hash) : chunk_empty,
diff --git a/src/libstrongswan/credentials/keys/signature_params.h b/src/libstrongswan/credentials/keys/signature_params.h
index 6934c5e88..b4169a829 100644
--- a/src/libstrongswan/credentials/keys/signature_params.h
+++ b/src/libstrongswan/credentials/keys/signature_params.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -100,11 +100,15 @@ struct rsa_pss_params_t {
hash_algorithm_t hash;
/** Hash for the MGF1 function */
hash_algorithm_t mgf1_hash;
- /** Salt length, use RSA_PSS_SALT_LEN_DEFAULT for length equal to hash */
+ /** Salt length, use the constants below for special lengths resolved
+ * via rsa_pss_params_set_salt_len() */
ssize_t salt_len;
/** Salt value, for unit tests (not all implementations support this) */
chunk_t salt;
+/** Use a salt length equal to the length of the hash */
#define RSA_PSS_SALT_LEN_DEFAULT -1
+/** Use the maximum salt length depending on the hash and key length */
+#define RSA_PSS_SALT_LEN_MAX -2
};
/**
@@ -126,4 +130,15 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params);
*/
bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1);
+/**
+ * Determine and set the salt length for the given params in case constants
+ * are used
+ *
+ * @param params parameters to update
+ * @param modbits RSA modulus length in bits (required if RSA_PSS_SALT_LEN_MAX
+ * is used)
+ * @return salt length to use, negative on error
+ */
+bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits);
+
#endif /** SIGNATURE_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/crypto/mac.h b/src/libstrongswan/crypto/mac.h
index 50dc4c73a..97cb7e352 100644
--- a/src/libstrongswan/crypto/mac.h
+++ b/src/libstrongswan/crypto/mac.h
@@ -39,12 +39,12 @@ struct mac_t {
*
* If out is NULL, no result is given back. A next call will
* append the data to already supplied data. If out is not NULL,
- * the mac of all apended data is calculated, written to out and the
+ * the MAC of all appended data is calculated, written to out and the
* internal state is reset.
*
* @param data chunk of data to authenticate
* @param out pointer where the generated bytes will be written
- * @return TRUE if mac generated successfully
+ * @return TRUE if MAC generated successfully
*/
bool (*get_mac)(mac_t *this, chunk_t data,
uint8_t *out) __attribute__((warn_unused_result));
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index cad94aa82..a078d3b30 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
/* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D */
/* Computed positions: -k'1,5-7,10,15,$' */
@@ -26,7 +26,7 @@
&& ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
&& ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
/* The character set is not based on ISO-646. */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
#endif
@@ -74,9 +74,7 @@ inline
#endif
#endif
static unsigned int
-hash (str, len)
- register const char *str;
- register unsigned int len;
+hash (register const char *str, register size_t len)
{
static const unsigned char asso_values[] =
{
@@ -107,7 +105,7 @@ hash (str, len)
251, 251, 251, 251, 251, 251, 251, 251, 251, 251,
251, 251, 251, 251, 251, 251, 251
};
- register int hval = len;
+ register unsigned int hval = len;
switch (hval)
{
@@ -320,22 +318,14 @@ static const short lookup[] =
143
};
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
const struct proposal_token *
-proposal_get_token_static (str, len)
- register const char *str;
- register unsigned int len;
+proposal_get_token_static (register const char *str, register size_t len)
{
if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
{
- register int key = hash (str, len);
+ register unsigned int key = hash (str, len);
- if (key <= MAX_HASH_VALUE && key >= 0)
+ if (key <= MAX_HASH_VALUE)
{
register int index = lookup[key];
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
index 1345f36bb..a0beec0bb 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
@@ -19,7 +19,7 @@
#include "proposal_keywords.h"
const proposal_token_t* proposal_get_token_static(register const char *str,
- register unsigned len);
+ register size_t len);
#endif /* PROPOSAL_KEYWORDS_STATIC_H_ */
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 77c29916c..db87affc9 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -82,6 +82,14 @@ enum agent_msg_type_t {
};
/**
+ * Flags for signatures
+ */
+enum agent_signature_flags_t {
+ SSH_AGENT_FLAG_SHA2_256 = 2,
+ SSH_AGENT_FLAG_SHA2_512 = 4,
+};
+
+/**
* read a byte from a blob
*/
static u_char read_byte(chunk_t *blob)
@@ -217,12 +225,35 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
}
static bool scheme_supported(private_agent_private_key_t *this,
- signature_scheme_t scheme)
+ signature_scheme_t scheme, uint32_t *flags,
+ char **prefix)
{
switch (this->pubkey->get_type(this->pubkey))
{
case KEY_RSA:
- return scheme == SIGN_RSA_EMSA_PKCS1_SHA1;
+ switch (scheme)
+ {
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ *prefix = "ssh-rsa";
+ return TRUE;
+ case SIGN_RSA_EMSA_PKCS1_SHA2_256:
+ *flags |= SSH_AGENT_FLAG_SHA2_256;
+ *prefix = "rsa-sha2-256";
+ return TRUE;
+ case SIGN_RSA_EMSA_PKCS1_SHA2_512:
+ *flags |= SSH_AGENT_FLAG_SHA2_512;
+ *prefix = "rsa-sha2-512";
+ return TRUE;
+ default:
+ break;
+ }
+ return FALSE;
+ case KEY_ED25519:
+ *prefix = "ssh-ed25519";
+ return scheme == SIGN_ED25519;
+ case KEY_ED448:
+ *prefix = "ssh-ed448";
+ return scheme == SIGN_ED448;
case KEY_ECDSA:
return scheme == SIGN_ECDSA_256 ||
scheme == SIGN_ECDSA_384 ||
@@ -236,11 +267,12 @@ METHOD(private_key_t, sign, bool,
private_agent_private_key_t *this, signature_scheme_t scheme, void *params,
chunk_t data, chunk_t *signature)
{
- uint32_t len, flags;
- char buf[2048];
+ key_type_t type;
+ uint32_t len, flags = 0;
+ char buf[2048], *prefix = NULL;
chunk_t blob;
- if (!scheme_supported(this, scheme))
+ if (!scheme_supported(this, scheme, &flags, &prefix))
{
DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
signature_scheme_names, scheme);
@@ -272,7 +304,7 @@ METHOD(private_key_t, sign, bool,
return FALSE;
}
- flags = htonl(0);
+ flags = htonl(flags);
if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
@@ -290,9 +322,15 @@ METHOD(private_key_t, sign, bool,
}
/* parse length */
blob = read_string(&blob);
- /* check sig type */
- if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa")))
- { /* for RSA the signature has no special encoding */
+ /* verify type */
+ if (prefix && !chunk_equals(read_string(&blob), chunk_from_str(prefix)))
+ {
+ DBG1(DBG_LIB, "ssh-agent didn't return requested %s signature", prefix);
+ return FALSE;
+ }
+ type = this->pubkey->get_type(this->pubkey);
+ if (type == KEY_RSA || type == KEY_ED25519 || type == KEY_ED448)
+ { /* for RSA/EdDSA, the signature has no special encoding */
blob = read_string(&blob);
if (blob.len)
{
@@ -301,7 +339,7 @@ METHOD(private_key_t, sign, bool,
}
}
else
- { /* anything else is treated as ECSDA for now */
+ { /* parse ECDSA signatures */
blob = read_string(&blob);
if (blob.len)
{
@@ -340,6 +378,80 @@ METHOD(private_key_t, get_keysize, int,
return this->pubkey->get_keysize(this->pubkey);
}
+/**
+ * Private data for RSA scheme enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ int index;
+ bool reverse;
+} scheme_enumerator_t;
+
+static signature_params_t rsa_schemes[] = {
+ { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
+ { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
+};
+
+METHOD(enumerator_t, enumerate_rsa_scheme, bool,
+ scheme_enumerator_t *this, va_list args)
+{
+ signature_params_t **params;
+
+ VA_ARGS_VGET(args, params);
+
+ if ((this->reverse && --this->index >= 0) ||
+ (!this->reverse && ++this->index < countof(rsa_schemes)))
+ {
+ *params = &rsa_schemes[this->index];
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Create an enumerator for the supported RSA signature schemes
+ */
+static enumerator_t *create_rsa_enumerator(private_agent_private_key_t *this)
+{
+ scheme_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = enumerator_enumerate_default,
+ .venumerate = _enumerate_rsa_scheme,
+ .destroy = (void*)free,
+ },
+ .index = -1,
+ .reverse = FALSE,
+ );
+ /* propose SHA-512 first for larger keys */
+ if (get_keysize(this) > 3072)
+ {
+ enumerator->index = countof(rsa_schemes);
+ enumerator->reverse = TRUE;
+ }
+ return &enumerator->public;
+}
+
+METHOD(private_key_t, supported_signature_schemes, enumerator_t*,
+ private_agent_private_key_t *this)
+{
+ key_type_t type = get_type(this);
+
+ switch (type)
+ {
+ case KEY_RSA:
+ return create_rsa_enumerator(this);
+ case KEY_ED25519:
+ case KEY_ED448:
+ case KEY_ECDSA:
+ return signature_schemes_for_key(type, get_keysize(this));
+ default:
+ break;
+ }
+ return enumerator_create_empty();
+}
+
METHOD(private_key_t, get_public_key, public_key_t*,
private_agent_private_key_t *this)
{
@@ -413,6 +525,7 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
.public = {
.key = {
.get_type = _get_type,
+ .supported_signature_schemes = _supported_signature_schemes,
.sign = _sign,
.decrypt = _decrypt,
.get_keysize = _get_keysize,
diff --git a/src/libstrongswan/plugins/botan/Makefile.am b/src/libstrongswan/plugins/botan/Makefile.am
index c1160145a..30d3e601c 100644
--- a/src/libstrongswan/plugins/botan/Makefile.am
+++ b/src/libstrongswan/plugins/botan/Makefile.am
@@ -23,9 +23,11 @@ libstrongswan_botan_la_SOURCES = \
botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \
botan_ec_public_key.h botan_ec_public_key.c \
botan_ec_private_key.h botan_ec_private_key.c \
+ botan_ed_public_key.h botan_ed_public_key.c \
+ botan_ed_private_key.h botan_ed_private_key.c \
botan_util.h botan_util.c \
botan_util_keys.h botan_util_keys.c \
- botan_gcm.h botan_gcm.c \
+ botan_aead.h botan_aead.c \
botan_x25519.h botan_x25519.c
libstrongswan_botan_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/botan/Makefile.in b/src/libstrongswan/plugins/botan/Makefile.in
index ef9f88610..3bb3e22f4 100644
--- a/src/libstrongswan/plugins/botan/Makefile.in
+++ b/src/libstrongswan/plugins/botan/Makefile.in
@@ -142,8 +142,9 @@ am_libstrongswan_botan_la_OBJECTS = botan_plugin.lo botan_rng.lo \
botan_hasher.lo botan_hmac.lo botan_crypter.lo \
botan_rsa_public_key.lo botan_rsa_private_key.lo \
botan_diffie_hellman.lo botan_ec_diffie_hellman.lo \
- botan_ec_public_key.lo botan_ec_private_key.lo botan_util.lo \
- botan_util_keys.lo botan_gcm.lo botan_x25519.lo
+ botan_ec_public_key.lo botan_ec_private_key.lo \
+ botan_ed_public_key.lo botan_ed_private_key.lo botan_util.lo \
+ botan_util_keys.lo botan_aead.lo botan_x25519.lo
libstrongswan_botan_la_OBJECTS = $(am_libstrongswan_botan_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -478,9 +479,11 @@ libstrongswan_botan_la_SOURCES = \
botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \
botan_ec_public_key.h botan_ec_public_key.c \
botan_ec_private_key.h botan_ec_private_key.c \
+ botan_ed_public_key.h botan_ed_public_key.c \
+ botan_ed_private_key.h botan_ed_private_key.c \
botan_util.h botan_util.c \
botan_util_keys.h botan_util_keys.c \
- botan_gcm.h botan_gcm.c \
+ botan_aead.h botan_aead.c \
botan_x25519.h botan_x25519.c
libstrongswan_botan_la_LDFLAGS = -module -avoid-version
@@ -574,12 +577,14 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_aead.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_crypter.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_diffie_hellman.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_diffie_hellman.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_private_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_public_key.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_gcm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_public_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hmac.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_plugin.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/botan/botan_gcm.c b/src/libstrongswan/plugins/botan/botan_aead.c
index 7e0fc1468..40006ae77 100644
--- a/src/libstrongswan/plugins/botan/botan_gcm.c
+++ b/src/libstrongswan/plugins/botan/botan_aead.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2018 Atanas Filyanov
* Rohde & Schwarz Cybersecurity GmbH
*
@@ -21,23 +24,28 @@
* THE SOFTWARE.
*/
-#include "botan_gcm.h"
+#include "botan_aead.h"
#include <botan/build.h>
-#ifdef BOTAN_HAS_AES
-#ifdef BOTAN_HAS_AEAD_GCM
+#if (defined(BOTAN_HAS_AES) && \
+ (defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \
+ defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
#include <crypto/iv/iv_gen_seq.h>
#include <botan/ffi.h>
/**
- * as defined in RFC 4106
+ * As defined in RFC 4106 (GCM) and RFC 7634 (ChaPoly)
*/
-#define IV_LEN 8
-#define SALT_LEN 4
-#define NONCE_LEN (IV_LEN + SALT_LEN)
+#define IV_LEN 8
+#define SALT_LEN 4
+#define CHAPOLY_KEY_LEN 32
+/**
+ * As defined in RFC 4309
+ */
+#define CCM_SALT_LEN 3
typedef struct private_aead_t private_aead_t;
@@ -56,7 +64,7 @@ struct private_aead_t {
/**
* Salt value
*/
- char salt[SALT_LEN];
+ chunk_t salt;
/**
* Size of the integrity check value
@@ -77,15 +85,12 @@ struct private_aead_t {
/**
* Do the actual en/decryption
*/
-static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
- u_char *out, uint32_t init_flag)
+static bool do_crypt(private_aead_t *this, chunk_t data, chunk_t assoc,
+ chunk_t iv, u_char *out, uint32_t init_flag)
{
botan_cipher_t cipher;
- uint8_t nonce[NONCE_LEN];
size_t output_written = 0, input_consumed = 0;
-
- memcpy(nonce, this->salt, SALT_LEN);
- memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+ chunk_t nonce;
if (botan_cipher_init(&cipher, this->cipher_name, init_flag))
{
@@ -105,7 +110,9 @@ static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
return FALSE;
}
- if (botan_cipher_start(cipher, nonce, NONCE_LEN))
+ nonce = chunk_cata("cc", this->salt, iv);
+
+ if (botan_cipher_start(cipher, nonce.ptr, nonce.len))
{
botan_cipher_destroy(cipher);
return FALSE;
@@ -149,7 +156,8 @@ METHOD(aead_t, encrypt, bool,
*encrypted = chunk_alloc(plain.len + this->icv_size);
out = encrypted->ptr;
}
- return crypt(this, plain, assoc, iv, out, BOTAN_CIPHER_INIT_FLAG_ENCRYPT);
+ return do_crypt(this, plain, assoc, iv, out,
+ BOTAN_CIPHER_INIT_FLAG_ENCRYPT);
}
METHOD(aead_t, decrypt, bool,
@@ -170,8 +178,8 @@ METHOD(aead_t, decrypt, bool,
*plain = chunk_alloc(encrypted.len);
out = plain->ptr;
}
- return crypt(this, encrypted, assoc, iv, out,
- BOTAN_CIPHER_INIT_FLAG_DECRYPT);
+ return do_crypt(this, encrypted, assoc, iv, out,
+ BOTAN_CIPHER_INIT_FLAG_DECRYPT);
}
METHOD(aead_t, get_block_size, size_t,
@@ -201,7 +209,7 @@ METHOD(aead_t, get_iv_gen, iv_gen_t*,
METHOD(aead_t, get_key_size, size_t,
private_aead_t *this)
{
- return this->key.len + SALT_LEN;
+ return this->key.len + this->salt.len;
}
METHOD(aead_t, set_key, bool,
@@ -211,7 +219,7 @@ METHOD(aead_t, set_key, bool,
{
return FALSE;
}
- memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+ memcpy(this->salt.ptr, key.ptr + key.len - this->salt.len, this->salt.len);
memcpy(this->key.ptr, key.ptr, this->key.len);
return TRUE;
}
@@ -220,15 +228,82 @@ METHOD(aead_t, destroy, void,
private_aead_t *this)
{
chunk_clear(&this->key);
+ chunk_clear(&this->salt);
this->iv_gen->destroy(this->iv_gen);
free(this);
}
+#ifdef BOTAN_HAS_AES
+#if defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_GCM)
+
+static struct {
+ encryption_algorithm_t algo;
+ size_t key_size;
+ char *name;
+ size_t icv_size;
+} aes_modes[] = {
+ { ENCR_AES_GCM_ICV8, 16, "AES-128/GCM(8)", 8 },
+ { ENCR_AES_GCM_ICV8, 24, "AES-192/GCM(8)", 8 },
+ { ENCR_AES_GCM_ICV8, 32, "AES-256/GCM(8)", 8 },
+ { ENCR_AES_GCM_ICV12, 16, "AES-128/GCM(12)", 12 },
+ { ENCR_AES_GCM_ICV12, 24, "AES-192/GCM(12)", 12 },
+ { ENCR_AES_GCM_ICV12, 32, "AES-256/GCM(12)", 12 },
+ { ENCR_AES_GCM_ICV16, 16, "AES-128/GCM(16)", 16 },
+ { ENCR_AES_GCM_ICV16, 24, "AES-192/GCM(16)", 16 },
+ { ENCR_AES_GCM_ICV16, 32, "AES-256/GCM(16)", 16 },
+ { ENCR_AES_CCM_ICV8, 16, "AES-128/CCM(8,4)", 8 },
+ { ENCR_AES_CCM_ICV8, 24, "AES-192/CCM(8,4)", 8 },
+ { ENCR_AES_CCM_ICV8, 32, "AES-256/CCM(8,4)", 8 },
+ { ENCR_AES_CCM_ICV12, 16, "AES-128/CCM(12,4)", 12 },
+ { ENCR_AES_CCM_ICV12, 24, "AES-192/CCM(12,4)", 12 },
+ { ENCR_AES_CCM_ICV12, 32, "AES-256/CCM(12,4)", 12 },
+ { ENCR_AES_CCM_ICV16, 16, "AES-128/CCM(16,4)", 16 },
+ { ENCR_AES_CCM_ICV16, 24, "AES-192/CCM(16,4)", 16 },
+ { ENCR_AES_CCM_ICV16, 32, "AES-256/CCM(16,4)", 16 },
+};
+
+/**
+ * Determine the cipher name and ICV size for the given algorithm and key size
+ */
+static bool determine_aes_params(private_aead_t *this,
+ encryption_algorithm_t algo, size_t key_size)
+{
+ int i;
+
+ for (i = 0; i < countof(aes_modes); i++)
+ {
+ if (aes_modes[i].algo == algo &&
+ aes_modes[i].key_size == key_size)
+ {
+ this->cipher_name = aes_modes[i].name;
+ this->icv_size = aes_modes[i].icv_size;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+#endif
+#endif
+
+/**
+ * Check the given salt size, set it if not set
+ */
+static bool check_salt_size(size_t expected, size_t *salt_size)
+{
+ if (*salt_size)
+ {
+ return *salt_size == expected;
+ }
+ *salt_size = expected;
+ return TRUE;
+}
+
/*
* Described in header
*/
-aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
- size_t salt_size)
+aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size,
+ size_t salt_size)
{
private_aead_t *this;
@@ -246,88 +321,68 @@ aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
},
);
- if (salt_size && salt_size != SALT_LEN)
- {
- /* currently not supported */
- free(this);
- return NULL;
- }
-
switch (algo)
{
+#ifdef BOTAN_HAS_AES
+#ifdef BOTAN_HAS_AEAD_GCM
case ENCR_AES_GCM_ICV8:
- switch (key_size)
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ if (!key_size)
{
- case 0:
- key_size = 16;
- /* FALL */
- case 16:
- this->cipher_name = "AES-128/GCM(8)";
- break;
- case 24:
- this->cipher_name = "AES-192/GCM(8)";
- break;
- case 32:
- this->cipher_name = "AES-256/GCM(8)";
- break;
- default:
- free(this);
- return NULL;
+ key_size = 16;
+ }
+ if (!check_salt_size(SALT_LEN, &salt_size) ||
+ !determine_aes_params(this, algo, key_size))
+ {
+ free(this);
+ return NULL;
}
- this->icv_size = 8;
break;
- case ENCR_AES_GCM_ICV12:
- switch (key_size)
+#endif
+#ifdef BOTAN_HAS_AEAD_CCM
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ if (!key_size)
{
- case 0:
- key_size = 16;
- /* FALL */
- case 16:
- this->cipher_name = "AES-128/GCM(12)";
- break;
- case 24:
- this->cipher_name = "AES-192/GCM(12)";
- break;
- case 32:
- this->cipher_name = "AES-256/GCM(12)";
- break;
- default:
- free(this);
- return NULL;
+ key_size = 16;
+ }
+ if (!check_salt_size(CCM_SALT_LEN, &salt_size) ||
+ !determine_aes_params(this, algo, key_size))
+ {
+ free(this);
+ return NULL;
}
- this->icv_size = 12;
break;
- case ENCR_AES_GCM_ICV16:
- switch (key_size)
+#endif
+#endif
+#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305
+ case ENCR_CHACHA20_POLY1305:
+ if (!key_size)
+ {
+ key_size = CHAPOLY_KEY_LEN;
+ }
+ if (key_size != CHAPOLY_KEY_LEN ||
+ !check_salt_size(SALT_LEN, &salt_size))
{
- case 0:
- key_size = 16;
- /* FALL */
- case 16:
- this->cipher_name = "AES-128/GCM";
- break;
- case 24:
- this->cipher_name = "AES-192/GCM";
- break;
- case 32:
- this->cipher_name = "AES-256/GCM";
- break;
- default:
- free(this);
- return NULL;
+ free(this);
+ return NULL;
}
+ this->cipher_name = "ChaCha20Poly1305";
this->icv_size = 16;
break;
+#endif
default:
free(this);
return NULL;
}
this->key = chunk_alloc(key_size);
+ this->salt = chunk_alloc(salt_size);
this->iv_gen = iv_gen_seq_create();
return &this->public;
}
#endif
-#endif
diff --git a/src/libstrongswan/plugins/botan/botan_gcm.h b/src/libstrongswan/plugins/botan/botan_aead.h
index b2053cb4d..00a2ba4bc 100644
--- a/src/libstrongswan/plugins/botan/botan_gcm.h
+++ b/src/libstrongswan/plugins/botan/botan_aead.h
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2018 Atanas Filyanov
* Rohde & Schwarz Cybersecurity GmbH
*
@@ -22,14 +25,14 @@
*/
/**
- * Implements the aead_t interface using Botan in GCM mode.
+ * Implements the aead_t interface using Botan.
*
- * @defgroup botan_gcm botan_gcm
+ * @defgroup botan_aead botan_aead
* @{ @ingroup botan_p
*/
-#ifndef BOTAN_GCM_H_
-#define BOTAN_GCM_H_
+#ifndef BOTAN_AEAD_H_
+#define BOTAN_AEAD_H_
#include <crypto/aead.h>
@@ -41,7 +44,7 @@
* @param salt_size size of implicit salt length
* @return aead_t object, NULL if not supported
*/
-aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size,
- size_t salt_size);
+aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size,
+ size_t salt_size);
-#endif /** BOTAN_GCM_H_ @}*/
+#endif /** BOTAN_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_crypter.c b/src/libstrongswan/plugins/botan/botan_crypter.c
index 002be6ea8..3ec5c4d5e 100644
--- a/src/libstrongswan/plugins/botan/botan_crypter.c
+++ b/src/libstrongswan/plugins/botan/botan_crypter.c
@@ -25,6 +25,10 @@
#include "botan_crypter.h"
+#include <botan/build.h>
+
+#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC)
+
#include <botan/ffi.h>
typedef struct private_botan_crypter_t private_botan_crypter_t;
@@ -189,3 +193,5 @@ botan_crypter_t *botan_crypter_create(encryption_algorithm_t algo,
this->key = chunk_alloc(key_size);
return &this->public;
}
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ec_public_key.c b/src/libstrongswan/plugins/botan/botan_ec_public_key.c
index 4c85dbcec..095ae3f20 100644
--- a/src/libstrongswan/plugins/botan/botan_ec_public_key.c
+++ b/src/libstrongswan/plugins/botan/botan_ec_public_key.c
@@ -69,9 +69,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this,
const char* hash_and_padding, int signature_format, size_t keylen,
chunk_t data, chunk_t signature)
{
- botan_pk_op_verify_t verify_op;
chunk_t sig = signature;
- bool valid = FALSE;
if (signature_format == SIG_FORMAT_DER_SEQUENCE)
{
@@ -104,22 +102,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this,
memcpy(sig.ptr + (keylen - r.len), r.ptr, r.len);
memcpy(sig.ptr + keylen + (keylen - s.len), s.ptr, s.len);
}
-
- if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0))
- {
- return FALSE;
- }
-
- if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
- {
- botan_pk_op_verify_destroy(verify_op);
- return FALSE;
- }
-
- valid = !(botan_pk_op_verify_finish(verify_op, sig.ptr, sig.len));
-
- botan_pk_op_verify_destroy(verify_op);
- return valid;
+ return botan_verify_signature(this->key, hash_and_padding, data, sig);
}
METHOD(public_key_t, get_type, key_type_t,
diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.c b/src/libstrongswan/plugins/botan/botan_ed_private_key.c
new file mode 100644
index 000000000..3f0f54222
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "botan_ed_private_key.h"
+#include "botan_ed_public_key.h"
+#include "botan_util.h"
+
+#include <botan/build.h>
+
+#ifdef BOTAN_HAS_ED25519
+
+#include <asn1/asn1.h>
+#include <utils/debug.h>
+
+typedef struct private_private_key_t private_private_key_t;
+
+#define ED25519_KEY_LEN 32
+
+/**
+ * Private data
+ */
+struct private_private_key_t {
+
+ /**
+ * Public interface
+ */
+ private_key_t public;
+
+ /**
+ * Botan private key object
+ */
+ botan_privkey_t key;
+
+ /**
+ * Reference count
+ */
+ refcount_t ref;
+};
+
+METHOD(private_key_t, sign, bool,
+ private_private_key_t *this, signature_scheme_t scheme,
+ void *params, chunk_t data, chunk_t *signature)
+{
+ switch (scheme)
+ {
+ case SIGN_ED25519:
+ return botan_get_signature(this->key, "Pure", data, signature);
+ default:
+ DBG1(DBG_LIB, "signature scheme %N not supported via botan",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+}
+
+METHOD(private_key_t, decrypt, bool,
+ private_private_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "EdDSA private key decryption not implemented");
+ return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+ private_private_key_t *this)
+{
+ return ED25519_KEY_LEN * 8;
+}
+
+METHOD(private_key_t, get_type, key_type_t,
+ private_private_key_t *this)
+{
+ return KEY_ED25519;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+ private_private_key_t *this)
+{
+ botan_pubkey_t pubkey;
+
+ if (botan_privkey_export_pubkey(&pubkey, this->key))
+ {
+ return NULL;
+ }
+ return botan_ed_public_key_adopt(pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+ private_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *fingerprint)
+{
+ botan_pubkey_t pubkey;
+ bool success = FALSE;
+
+ /* check the cache before doing the export */
+ if (lib->encoding->get_cache(lib->encoding, type, this, fingerprint))
+ {
+ return TRUE;
+ }
+
+ if (botan_privkey_export_pubkey(&pubkey, this->key))
+ {
+ return FALSE;
+ }
+ success = botan_get_fingerprint(pubkey, this, type, fingerprint);
+ botan_pubkey_destroy(pubkey);
+ return success;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+ private_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ return botan_get_privkey_encoding(this->key, type, encoding);
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+ private_private_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
+METHOD(private_key_t, destroy, void,
+ private_private_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ botan_privkey_destroy(this->key);
+ free(this);
+ }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_private_key_t *create_empty()
+{
+ private_private_key_t *this;
+
+ INIT(this,
+ .public = {
+ .get_type = _get_type,
+ .sign = _sign,
+ .decrypt = _decrypt,
+ .get_keysize = _get_keysize,
+ .get_public_key = _get_public_key,
+ .equals = private_key_equals,
+ .belongs_to = private_key_belongs_to,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = private_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .ref = 1,
+ );
+
+ return this;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_adopt(botan_privkey_t key)
+{
+ private_private_key_t *this;
+
+ this = create_empty();
+ this->key = key;
+
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args)
+{
+ private_private_key_t *this;
+ botan_rng_t rng;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_KEY_SIZE:
+ /* just ignore the key size */
+ va_arg(args, u_int);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (botan_rng_init(&rng, "system"))
+ {
+ return NULL;
+ }
+
+ this = create_empty();
+
+ if (botan_privkey_create(&this->key, "Ed25519", NULL, rng))
+ {
+ DBG1(DBG_LIB, "EdDSA private key generation failed");
+ botan_rng_destroy(rng);
+ free(this);
+ return NULL;
+ }
+
+ botan_rng_destroy(rng);
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *botan_ed_private_key_load(key_type_t type, va_list args)
+{
+ private_private_key_t *this;
+ chunk_t key = chunk_empty;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_EDDSA_PRIV_ASN1_DER:
+ key = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ /* PKCS#8-encoded keys are handled generically, so we only handle the
+ * explicit case */
+ if (asn1_unwrap(&key, &key) != ASN1_OCTET_STRING ||
+ key.len != ED25519_KEY_LEN)
+ {
+ return NULL;
+ }
+
+ this = create_empty();
+
+ if (botan_privkey_load_ed25519(&this->key, key.ptr))
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.h b/src/libstrongswan/plugins/botan/botan_ed_private_key.h
new file mode 100644
index 000000000..f7f32e8f3
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup botan_ed_private_key botan_ed_private_key
+ * @{ @ingroup botan_p
+ */
+
+#ifndef BOTAN_ED_PRIVATE_KEY_H_
+#define BOTAN_ED_PRIVATE_KEY_H_
+
+#include <botan/ffi.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Generate an EdDSA private key using Botan.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return generated key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key using Botan.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key by adopting a botan_privkey_t object.
+ *
+ * @param key private key object (adopted)
+ * @return loaded key, NULL on failure
+ */
+private_key_t *botan_ed_private_key_adopt(botan_privkey_t key);
+
+#endif /** BOTAN_ED_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.c b/src/libstrongswan/plugins/botan/botan_ed_public_key.c
new file mode 100644
index 000000000..41d2baae8
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "botan_ed_public_key.h"
+#include "botan_util.h"
+
+#include <botan/build.h>
+
+#ifdef BOTAN_HAS_ED25519
+
+#include <utils/debug.h>
+
+typedef struct private_public_key_t private_public_key_t;
+
+/**
+ * Private data
+ */
+struct private_public_key_t {
+
+ /**
+ * Public interface
+ */
+ public_key_t public;
+
+ /**
+ * Botan public key object
+ */
+ botan_pubkey_t key;
+
+ /**
+ * Reference counter
+ */
+ refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+ private_public_key_t *this)
+{
+ return KEY_ED25519;
+}
+
+METHOD(public_key_t, get_keysize, int,
+ private_public_key_t *this)
+{
+ return ED25519_KEY_LEN * 8;
+}
+
+METHOD(public_key_t, verify, bool,
+ private_public_key_t *this, signature_scheme_t scheme,
+ void *params, chunk_t data, chunk_t signature)
+{
+ switch (scheme)
+ {
+ case SIGN_ED25519:
+ return botan_verify_signature(this->key, "Pure", data, signature);
+ default:
+ DBG1(DBG_LIB, "signature scheme %N not supported via botan",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+}
+
+METHOD(public_key_t, encrypt, bool,
+ private_public_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "EdDSA public key encryption not implemented");
+ return FALSE;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+ private_public_key_t *this, cred_encoding_type_t type,
+ chunk_t *fingerprint)
+{
+ return botan_get_fingerprint(this->key, this, type, fingerprint);
+}
+
+METHOD(public_key_t, get_encoding, bool,
+ private_public_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ return botan_get_encoding(this->key, type, encoding);
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+ private_public_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
+METHOD(public_key_t, destroy, void,
+ private_public_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ botan_pubkey_destroy(this->key);
+ free(this);
+ }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_public_key_t *create_empty()
+{
+ private_public_key_t *this;
+
+ INIT(this,
+ .public = {
+ .get_type = _get_type,
+ .verify = _verify,
+ .encrypt = _encrypt,
+ .get_keysize = _get_keysize,
+ .equals = public_key_equals,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = public_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .ref = 1,
+ );
+
+ return this;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key)
+{
+ private_public_key_t *this;
+
+ this = create_empty();
+ this->key = key;
+
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *botan_ed_public_key_load(key_type_t type, va_list args)
+{
+ private_public_key_t *this;
+ chunk_t key = chunk_empty;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_EDDSA_PUB:
+ key = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ /* ASN.1-encoded keys are handled generically, so we only handle the
+ * explicit case */
+ if (key.len != ED25519_KEY_LEN)
+ {
+ return NULL;
+ }
+
+ this = create_empty();
+
+ if (botan_pubkey_load_ed25519(&this->key, key.ptr))
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
+
+#endif
diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.h b/src/libstrongswan/plugins/botan/botan_ed_public_key.h
new file mode 100644
index 000000000..0f44b1afb
--- /dev/null
+++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef BOTAN_ED_PUBLIC_KEY_H_
+#define BOTAN_ED_PUBLIC_KEY_H_
+
+#include <botan/ffi.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+#define ED25519_KEY_LEN 32
+
+/**
+ * Load an EdDSA public key by adopting a botan_pubkey_t object.
+ *
+ * @param key public key object (adopted)
+ * @return loaded key, NULL on failure
+ */
+public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key);
+
+/**
+ * Load an EdDSA public key using Botan.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+public_key_t *botan_ed_public_key_load(key_type_t type, va_list args);
+
+#endif /** BOTAN_ED_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/botan/botan_plugin.c b/src/libstrongswan/plugins/botan/botan_plugin.c
index fd8e5f5a6..f045ba074 100644
--- a/src/libstrongswan/plugins/botan/botan_plugin.c
+++ b/src/libstrongswan/plugins/botan/botan_plugin.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2018 René Korthaus
@@ -36,7 +37,9 @@
#include "botan_ec_diffie_hellman.h"
#include "botan_ec_public_key.h"
#include "botan_ec_private_key.h"
-#include "botan_gcm.h"
+#include "botan_ed_public_key.h"
+#include "botan_ed_private_key.h"
+#include "botan_aead.h"
#include "botan_util_keys.h"
#include "botan_x25519.h"
@@ -101,6 +104,7 @@ METHOD(plugin_t, get_features, int,
#endif
/* crypters */
+#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC)
PLUGIN_REGISTER(CRYPTER, botan_crypter_create),
#ifdef BOTAN_HAS_AES
#ifdef BOTAN_HAS_MODE_CBC
@@ -108,17 +112,43 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
#endif
+#endif
+#endif
+
+ /* AEAD */
+#if (defined(BOTAN_HAS_AES) && \
+ (defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \
+ defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
+ PLUGIN_REGISTER(AEAD, botan_aead_create),
+#ifdef BOTAN_HAS_AES
#ifdef BOTAN_HAS_AEAD_GCM
- /* AES GCM */
- PLUGIN_REGISTER(AEAD, botan_gcm_create),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
#endif
+ #ifdef BOTAN_HAS_AEAD_CCM
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 32),
+ #endif
+#endif
+#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305
+ PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32),
#endif
+#endif
+
/* hashers */
PLUGIN_REGISTER(HASHER, botan_hasher_create),
#ifdef BOTAN_HAS_MD5
@@ -135,6 +165,13 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(HASHER, HASH_SHA384),
PLUGIN_PROVIDE(HASHER, HASH_SHA512),
#endif
+#ifdef BOTAN_HAS_SHA3
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_224),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
+#endif
+
/* prfs */
#ifdef BOTAN_HAS_HMAC
PLUGIN_REGISTER(PRF, botan_hmac_prf_create),
@@ -168,7 +205,8 @@ METHOD(plugin_t, get_features, int,
#endif /* BOTAN_HAS_HMAC */
/* generic key loaders */
-#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA)
+#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA) || \
+ defined(BOTAN_HAS_ED25519)
PLUGIN_REGISTER(PUBKEY, botan_public_key_load, TRUE),
PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
#ifdef BOTAN_HAS_RSA
@@ -177,6 +215,9 @@ METHOD(plugin_t, get_features, int,
#ifdef BOTAN_HAS_ECDSA
PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
#endif
+#ifdef BOTAN_HAS_ED25519
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+#endif
PLUGIN_REGISTER(PRIVKEY, botan_private_key_load, TRUE),
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
#ifdef BOTAN_HAS_RSA
@@ -185,6 +226,9 @@ METHOD(plugin_t, get_features, int,
#ifdef BOTAN_HAS_ECDSA
PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
#endif
+#ifdef BOTAN_HAS_ED25519
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+#endif
#endif
/* RSA */
#ifdef BOTAN_HAS_RSA
@@ -218,6 +262,16 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384),
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512),
#endif
+#ifdef BOTAN_HAS_SHA3
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_224),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_256),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_384),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_512),
+#endif
#endif
#ifdef BOTAN_HAS_EMSA_PSSR
PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS),
@@ -272,6 +326,21 @@ METHOD(plugin_t, get_features, int,
#endif /* BOTAN_HAS_EMSA1 */
#endif /* BOTAN_HAS_ECDSA */
+#ifdef BOTAN_HAS_ED25519
+ /* EdDSA private/public key loading */
+ PLUGIN_REGISTER(PUBKEY, botan_ed_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+ PLUGIN_REGISTER(PRIVKEY, botan_ed_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+ PLUGIN_REGISTER(PRIVKEY_GEN, botan_ed_private_key_gen, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+ /* register a pro forma identity hasher, never instantiated */
+ PLUGIN_REGISTER(HASHER, return_null),
+ PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+#endif
+
/* random numbers */
#if BOTAN_HAS_SYSTEM_RNG
#if BOTAN_HAS_HMAC_DRBG
diff --git a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
index bb723ff95..02820b297 100644
--- a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
+++ b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2018 René Korthaus
@@ -84,13 +85,8 @@ bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len)
{
return FALSE;
}
-
- if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash,
- params->salt_len) < len;
- }
- return snprintf(id, len, "EMSA-PSS(%s,MGF1)", hash) < len;
+ return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash,
+ params->salt_len) < len;
}
/**
@@ -140,6 +136,18 @@ METHOD(private_key_t, sign, bool,
case SIGN_RSA_EMSA_PKCS1_SHA2_512:
return botan_get_signature(this->key, "EMSA_PKCS1(SHA-512)", data,
signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+ return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(224))", data,
+ signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+ return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(256))", data,
+ signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+ return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(384))", data,
+ signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+ return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(512))", data,
+ signature);
case SIGN_RSA_EMSA_PSS:
return build_emsa_pss_signature(this, params, data, signature);
default:
@@ -617,7 +625,7 @@ botan_rsa_private_key_t *botan_rsa_private_key_load(key_type_t type,
if (n.ptr && e.ptr && d.ptr)
{
- botan_mp_t n_mp, e_mp, d_mp, p_mp, q_mp;
+ botan_mp_t n_mp, e_mp, d_mp, p_mp = NULL, q_mp = NULL;
if (!chunk_to_botan_mp(n, &n_mp))
{
diff --git a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
index c6e2e8861..244caa585 100644
--- a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
+++ b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2018 René Korthaus
@@ -69,33 +70,6 @@ struct private_botan_rsa_public_key_t {
bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len);
/**
- * Verify RSA signature
- */
-static bool verify_rsa_signature(private_botan_rsa_public_key_t *this,
- const char* hash_and_padding, chunk_t data,
- chunk_t signature)
-{
- botan_pk_op_verify_t verify_op;
- bool valid = FALSE;
-
- if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0))
- {
- return FALSE;
- }
-
- if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
- {
- botan_pk_op_verify_destroy(verify_op);
- return FALSE;
- }
-
- valid = !botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len);
-
- botan_pk_op_verify_destroy(verify_op);
- return valid;
-}
-
-/**
* Verification of an EMSA PSS signature described in PKCS#1
*/
static bool verify_emsa_pss_signature(private_botan_rsa_public_key_t *this,
@@ -109,7 +83,7 @@ static bool verify_emsa_pss_signature(private_botan_rsa_public_key_t *this,
{
return FALSE;
}
- return verify_rsa_signature(this, hash_and_padding, data, signature);
+ return botan_verify_signature(this->key, hash_and_padding, data, signature);
}
METHOD(public_key_t, get_type, key_type_t,
@@ -125,23 +99,35 @@ METHOD(public_key_t, verify, bool,
switch (scheme)
{
case SIGN_RSA_EMSA_PKCS1_NULL:
- return verify_rsa_signature(this, "EMSA_PKCS1(Raw)", data,
- signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(Raw)", data,
+ signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
- return verify_rsa_signature(this, "EMSA_PKCS1(SHA-1)", data,
- signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-1)", data,
+ signature);
case SIGN_RSA_EMSA_PKCS1_SHA2_224:
- return verify_rsa_signature(this, "EMSA_PKCS1(SHA-224)",
- data, signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-224)",
+ data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA2_256:
- return verify_rsa_signature(this, "EMSA_PKCS1(SHA-256)",
- data, signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-256)",
+ data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA2_384:
- return verify_rsa_signature(this, "EMSA_PKCS1(SHA-384)",
- data, signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-384)",
+ data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA2_512:
- return verify_rsa_signature(this, "EMSA_PKCS1(SHA-512)",
- data, signature);
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-512)",
+ data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(224)",
+ data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(256))",
+ data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(384))",
+ data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+ return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(512))",
+ data, signature);
case SIGN_RSA_EMSA_PSS:
return verify_emsa_pss_signature(this, params, data, signature);
default:
diff --git a/src/libstrongswan/plugins/botan/botan_util.c b/src/libstrongswan/plugins/botan/botan_util.c
index 5e18405d7..f5728e43e 100644
--- a/src/libstrongswan/plugins/botan/botan_util.c
+++ b/src/libstrongswan/plugins/botan/botan_util.c
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2018 René Korthaus
@@ -67,6 +68,14 @@ const char *botan_get_hash(hash_algorithm_t hash)
return "SHA-384";
case HASH_SHA512:
return "SHA-512";
+ case HASH_SHA3_224:
+ return "SHA-3(224)";
+ case HASH_SHA3_256:
+ return "SHA-3(256)";
+ case HASH_SHA3_384:
+ return "SHA-3(384)";
+ case HASH_SHA3_512:
+ return "SHA-3(512)";
default:
return NULL;
}
@@ -252,6 +261,32 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme,
/*
* Described in header
*/
+bool botan_verify_signature(botan_pubkey_t key, const char *scheme,
+ chunk_t data, chunk_t signature)
+{
+ botan_pk_op_verify_t verify_op;
+ bool valid = FALSE;
+
+ if (botan_pk_op_verify_create(&verify_op, key, scheme, 0))
+ {
+ return FALSE;
+ }
+
+ if (botan_pk_op_verify_update(verify_op, data.ptr, data.len))
+ {
+ botan_pk_op_verify_destroy(verify_op);
+ return FALSE;
+ }
+
+ valid = !botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len);
+
+ botan_pk_op_verify_destroy(verify_op);
+ return valid;
+}
+
+/*
+ * Described in header
+ */
bool botan_dh_key_derivation(botan_privkey_t key, chunk_t pub, chunk_t *secret)
{
botan_pk_op_ka_t ka;
diff --git a/src/libstrongswan/plugins/botan/botan_util.h b/src/libstrongswan/plugins/botan/botan_util.h
index 08830356e..7fb74ec5d 100644
--- a/src/libstrongswan/plugins/botan/botan_util.h
+++ b/src/libstrongswan/plugins/botan/botan_util.h
@@ -101,6 +101,18 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme,
chunk_t data, chunk_t *signature);
/**
+ * Verify the given signature using the provided data and key with the specified
+ * signature scheme (hash/padding).
+ *
+ * @param key private key object
+ * @param scheme hash/padding algorithm
+ * @param data signed data
+ * @param signature signature to verify
+ */
+bool botan_verify_signature(botan_pubkey_t key, const char* scheme,
+ chunk_t data, chunk_t signature);
+
+/**
* Do the Diffie-Hellman key derivation using the given private key and public
* value.
*
diff --git a/src/libstrongswan/plugins/botan/botan_util_keys.c b/src/libstrongswan/plugins/botan/botan_util_keys.c
index 176c2caf9..dc4031491 100644
--- a/src/libstrongswan/plugins/botan/botan_util_keys.c
+++ b/src/libstrongswan/plugins/botan/botan_util_keys.c
@@ -24,6 +24,8 @@
#include "botan_util_keys.h"
#include "botan_ec_public_key.h"
#include "botan_ec_private_key.h"
+#include "botan_ed_public_key.h"
+#include "botan_ed_private_key.h"
#include "botan_rsa_public_key.h"
#include "botan_rsa_private_key.h"
@@ -104,15 +106,27 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args)
return NULL;
}
+#ifdef BOTAN_HAS_RSA
if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA))
{
this = (public_key_t*)botan_rsa_public_key_adopt(pubkey);
}
- else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
+ else
+#endif
+#ifdef BOTAN_HAS_ECDSA
+ if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
{
this = (public_key_t*)botan_ec_public_key_adopt(pubkey);
}
else
+#endif
+#ifdef BOTAN_HAS_ED25519
+ if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519))
+ {
+ this = botan_ed_public_key_adopt(pubkey);
+ }
+ else
+#endif
{
botan_pubkey_destroy(pubkey);
}
@@ -120,6 +134,7 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args)
return this;
}
+#ifdef BOTAN_HAS_ECDSA
/**
* Determine the curve OID from a PKCS#8 structure
*/
@@ -139,6 +154,7 @@ static int determine_ec_oid(chunk_t pkcs8)
}
return oid;
}
+#endif
/*
* Described in header
@@ -151,7 +167,6 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args)
chunk_t blob = chunk_empty;
botan_rng_t rng;
char *name;
- int oid;
while (TRUE)
{
@@ -188,20 +203,35 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args)
botan_pubkey_destroy(pubkey);
if (!name)
{
+ botan_privkey_destroy(key);
return NULL;
}
+
+#ifdef BOTAN_HAS_RSA
if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA))
{
this = (private_key_t*)botan_rsa_private_key_adopt(key);
}
- else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
+ else
+#endif
+#ifdef BOTAN_HAS_ECDSA
+ if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA))
{
- oid = determine_ec_oid(blob);
+ int oid = determine_ec_oid(blob);
if (oid != OID_UNKNOWN)
{
this = (private_key_t*)botan_ec_private_key_adopt(key, oid);
}
}
+ else
+#endif
+#ifdef BOTAN_HAS_ED25519
+ if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519))
+ {
+ this = botan_ed_private_key_adopt(key);
+ }
+#endif
+
if (!this)
{
botan_privkey_destroy(key);
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
index 1d4dec565..dfc1df4d0 100644
--- a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -48,6 +49,13 @@ METHOD(public_key_t, get_type, key_type_t,
return KEY_ED25519;
}
+/* L = 2^252+27742317777372353535851937790883648493 in little-endian form */
+static chunk_t curve25519_order = chunk_from_chars(
+ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+ 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10);
+
METHOD(public_key_t, verify, bool,
private_curve25519_public_key_t *this, signature_scheme_t scheme,
void *params, chunk_t data, chunk_t signature)
@@ -93,6 +101,20 @@ METHOD(public_key_t, verify, bool,
{
return FALSE;
}
+ /* make sure 0 <= s < L, as per RFC 8032, section 5.1.7 to prevent signature
+ * malleability. Due to the three-bit check above (forces s < 2^253) there
+ * is not that much room, but adding L once works with most signatures */
+ for (i = 31; ; i--)
+ {
+ if (sig[i+32] < curve25519_order.ptr[i])
+ {
+ break;
+ }
+ else if (sig[i+32] > curve25519_order.ptr[i] || i == 0)
+ {
+ return FALSE;
+ }
+ }
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
if (!hasher)
@@ -200,22 +222,68 @@ static const asn1Object_t pubkeyObjects[] = {
#define ED25519_SUBJECT_PUBLIC_KEY 2
/**
+ * Parse the ASN.1-encoded subjectPublicKeyInfo
+ */
+static bool parse_public_key_info(private_curve25519_public_key_t *this,
+ chunk_t blob)
+{
+ asn1_parser_t *parser;
+ chunk_t object;
+ bool success = FALSE;
+ int objectID, oid;
+
+ parser = asn1_parser_create(pubkeyObjects, blob);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
+ {
+ oid = asn1_parse_algorithmIdentifier(object,
+ parser->get_level(parser) + 1, NULL);
+ if (oid != OID_ED25519)
+ {
+ goto end;
+ }
+ break;
+ }
+ case ED25519_SUBJECT_PUBLIC_KEY:
+ {
+ /* encoded as an ASN1 BIT STRING */
+ if (object.len != 1 + ED25519_KEY_LEN)
+ {
+ goto end;
+ }
+ this->pubkey = chunk_clone(chunk_skip(object, 1));
+ break;
+ }
+ }
+ }
+ success = parser->success(parser);
+
+end:
+ parser->destroy(parser);
+ return success;
+}
+
+/**
* See header.
*/
curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
va_list args)
{
private_curve25519_public_key_t *this;
- chunk_t blob = chunk_empty, object;
- asn1_parser_t *parser;
- bool success = FALSE;
- int objectID, oid;
+ chunk_t asn1 = chunk_empty, blob = chunk_empty;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_BLOB_ASN1_DER:
+ asn1 = va_arg(args, chunk_t);
+ continue;
+ case BUILD_EDDSA_PUB:
blob = va_arg(args, chunk_t);
continue;
case BUILD_END:
@@ -244,39 +312,11 @@ curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
.ref = 1,
);
- parser = asn1_parser_create(pubkeyObjects, blob);
-
- while (parser->iterate(parser, &objectID, &object))
+ if (blob.len == ED25519_KEY_LEN)
{
- switch (objectID)
- {
- case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
- {
- oid = asn1_parse_algorithmIdentifier(object,
- parser->get_level(parser) + 1, NULL);
- if (oid != OID_ED25519)
- {
- goto end;
- }
- break;
- }
- case ED25519_SUBJECT_PUBLIC_KEY:
- {
- /* encoded as an ASN1 BIT STRING */
- if (object.len != 1 + ED25519_KEY_LEN)
- {
- goto end;
- }
- this->pubkey = chunk_clone(chunk_skip(object, 1));
- break;
- }
- }
+ this->pubkey = chunk_clone(blob);
}
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- if (!success)
+ else if (!asn1.len || !parse_public_key_info(this, asn1))
{
destroy(this);
return NULL;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 45fba242b..6946e4576 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -43,10 +43,12 @@ struct private_gcrypt_plugin_t {
gcrypt_plugin_t public;
};
+#if GCRYPT_VERSION_NUMBER < 0x010600
/**
* Define gcrypt multi-threading callbacks as gcry_threads_pthread
*/
GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
METHOD(plugin_t, get_name, char*,
private_gcrypt_plugin_t *this)
@@ -163,7 +165,9 @@ plugin_t *gcrypt_plugin_create()
{
private_gcrypt_plugin_t *this;
+#if GCRYPT_VERSION_NUMBER < 0x010600
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+#endif
if (!gcry_check_version(GCRYPT_VERSION))
{
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index c06f43348..394b87c27 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -187,11 +187,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
}
else
{
- u_int slen = hasher_hash_size(hash_algorithm);
- if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- slen = pss->salt_len;
- }
+ u_int slen = pss->salt_len;
err = gcry_sexp_build(&in, NULL,
"(data(flags pss)(salt-length %u)(hash %s %b))",
slen, hash_name, hash.len, hash.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 9e2ac1287..bbfa5e298 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -139,11 +139,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
if (pss)
{
- u_int slen = hasher_hash_size(algorithm);
- if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- slen = pss->salt_len;
- }
+ u_int slen = pss->salt_len;
err = gcry_sexp_build(&in, NULL,
"(data(flags pss)(salt-length %u)(hash %s %b))",
slen, hash_name, hash.len, hash.ptr);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index a255a40ab..2d2d5c6fb 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -393,15 +393,11 @@ static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t *this,
goto error;
}
- salt.len = hash.len;
+ salt.len = params->salt_len;
if (params->salt.len)
{
salt = params->salt;
}
- else if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- salt.len = params->salt_len;
- }
if (emlen < (hash.len + salt.len + 2))
{ /* too long */
goto error;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 9b5ee67fa..f9bd1d314 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -205,12 +205,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
{
goto error;
}
- /* determine salt length */
- salt.len = hash.len;
- if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- salt.len = params->salt_len;
- }
+ salt.len = params->salt_len;
/* verify general structure of EM */
maskbits = (8 * em.len) - embits;
if (em.len < (hash.len + salt.len + 2) || em.ptr[em.len-1] != 0xbc ||
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index d7e35d9fd..90f8185b0 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -131,9 +131,13 @@ typedef struct {
*/
static void conn_release(private_mysql_database_t *this, conn_t *conn)
{
- this->mutex->lock(this->mutex);
- conn->in_use = FALSE;
- this->mutex->unlock(this->mutex);
+ /* do not release the connection while transactions are using it */
+ if (!this->transaction->get(this->transaction))
+ {
+ this->mutex->lock(this->mutex);
+ conn->in_use = FALSE;
+ this->mutex->unlock(this->mutex);
+ }
}
/**
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 9287f788a..d484092e7 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -29,7 +29,10 @@ libstrongswan_openssl_la_SOURCES = \
openssl_pkcs12.c openssl_pkcs12.h \
openssl_rng.c openssl_rng.h \
openssl_hmac.c openssl_hmac.h \
- openssl_gcm.c openssl_gcm.h
+ openssl_gcm.c openssl_gcm.h \
+ openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+ openssl_ed_private_key.c openssl_ed_private_key.h \
+ openssl_ed_public_key.c openssl_ed_public_key.h
libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = $(OPENSSL_LIB)
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 79be2e670..da04d17cf 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -145,7 +145,8 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
openssl_pkcs7.lo openssl_pkcs12.lo openssl_rng.lo \
- openssl_hmac.lo openssl_gcm.lo
+ openssl_hmac.lo openssl_gcm.lo openssl_x_diffie_hellman.lo \
+ openssl_ed_private_key.lo openssl_ed_public_key.lo
libstrongswan_openssl_la_OBJECTS = \
$(am_libstrongswan_openssl_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
@@ -487,7 +488,10 @@ libstrongswan_openssl_la_SOURCES = \
openssl_pkcs12.c openssl_pkcs12.h \
openssl_rng.c openssl_rng.h \
openssl_hmac.c openssl_hmac.h \
- openssl_gcm.c openssl_gcm.h
+ openssl_gcm.c openssl_gcm.h \
+ openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+ openssl_ed_private_key.c openssl_ed_private_key.h \
+ openssl_ed_public_key.c openssl_ed_public_key.h
libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = $(OPENSSL_LIB)
@@ -586,6 +590,8 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_public_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
@@ -598,6 +604,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x_diffie_hellman.Plo@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index bb5f20dcf..3e7490dc6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -57,6 +57,9 @@ static inline void X509_CRL_get0_signature(const X509_CRL *crl, ASN1_BIT_STRING
#define X509_REVOKED_get0_serialNumber(r) ({ (r)->serialNumber; })
#define X509_REVOKED_get0_revocationDate(r) ({ (r)->revocationDate; })
#define X509_CRL_get0_extensions(c) ({ (c)->crl->extensions; })
+#define ASN1_STRING_get0_data(a) ASN1_STRING_data(a)
+#define X509_CRL_get0_lastUpdate(c) X509_CRL_get_lastUpdate(c)
+#define X509_CRL_get0_nextUpdate(c) X509_CRL_get_nextUpdate(c)
#endif
typedef struct private_openssl_crl_t private_openssl_crl_t;
@@ -193,7 +196,7 @@ METHOD(enumerator_t, crl_enumerate, bool,
if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED &&
ASN1_STRING_length(crlrsn) == 1)
{
- *reason = *ASN1_STRING_data(crlrsn);
+ *reason = *ASN1_STRING_get0_data(crlrsn);
}
ASN1_STRING_free(crlrsn);
}
@@ -288,7 +291,11 @@ METHOD(certificate_t, issued_by, bool,
chunk_t fingerprint, tbs;
public_key_t *key;
x509_t *x509;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const ASN1_BIT_STRING *sig;
+#else
ASN1_BIT_STRING *sig;
+#endif
bool valid;
if (issuer->get_type(issuer) != CERT_X509)
@@ -509,7 +516,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
bool ok;
int i, num;
X509_EXTENSION *ext;
- STACK_OF(X509_EXTENSION) *extensions;
+ const STACK_OF(X509_EXTENSION) *extensions;
extensions = X509_CRL_get0_extensions(this->crl);
if (extensions)
@@ -564,7 +571,11 @@ static bool parse_crl(private_openssl_crl_t *this)
{
const unsigned char *ptr = this->encoding.ptr;
chunk_t sig_scheme;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const X509_ALGOR *alg;
+#else
X509_ALGOR *alg;
+#endif
this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len);
if (!this->crl)
@@ -573,7 +584,7 @@ static bool parse_crl(private_openssl_crl_t *this)
}
X509_CRL_get0_signature(this->crl, NULL, &alg);
- sig_scheme = openssl_i2chunk(X509_ALGOR, alg);
+ sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
INIT(this->scheme);
if (!signature_params_parse(sig_scheme, 0, this->scheme))
{
@@ -588,8 +599,8 @@ static bool parse_crl(private_openssl_crl_t *this)
{
return FALSE;
}
- this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl));
- this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl));
+ this->thisUpdate = openssl_asn1_to_time(X509_CRL_get0_lastUpdate(this->crl));
+ this->nextUpdate = openssl_asn1_to_time(X509_CRL_get0_nextUpdate(this->crl));
return parse_extensions(this);
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
new file mode 100644
index 000000000..b5bc9b868
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include "openssl_ed_private_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_private_key_t private_private_key_t;
+
+/**
+ * Private data
+ */
+struct private_private_key_t {
+
+ /**
+ * Public interface
+ */
+ private_key_t public;
+
+ /**
+ * Key object
+ */
+ EVP_PKEY *key;
+
+ /**
+ * Key type
+ */
+ key_type_t type;
+
+ /**
+ * TRUE if the key is from an OpenSSL ENGINE and might not be readable
+ */
+ bool engine;
+
+ /**
+ * reference count
+ */
+ refcount_t ref;
+};
+
+/**
+ * We can't include asn1.h, declare function prototype directly
+ */
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/* from ed public key */
+int openssl_ed_key_type(key_type_t type);
+int openssl_ed_keysize(key_type_t type);
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, chunk_t *fp);
+
+METHOD(private_key_t, sign, bool,
+ private_private_key_t *this, signature_scheme_t scheme,
+ void *params, chunk_t data, chunk_t *signature)
+{
+ EVP_MD_CTX *ctx;
+ bool success = FALSE;
+
+ if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+ (this->type == KEY_ED448 && scheme != SIGN_ED448))
+ {
+ DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+ signature_scheme_names, scheme, key_type_names, this->type);
+ return FALSE;
+ }
+
+ ctx = EVP_MD_CTX_new();
+ if (!ctx ||
+ EVP_DigestSignInit(ctx, NULL, NULL, NULL, this->key) <= 0)
+ {
+ goto error;
+ }
+
+ if (EVP_DigestSign(ctx, NULL, &signature->len, data.ptr, data.len) <= 0)
+ {
+ goto error;
+ }
+
+ *signature = chunk_alloc(signature->len);
+
+ if (EVP_DigestSign(ctx, signature->ptr, &signature->len,
+ data.ptr, data.len) <= 0)
+ {
+ goto error;
+ }
+
+ success = TRUE;
+
+error:
+ EVP_MD_CTX_free(ctx);
+ return success;
+}
+
+METHOD(private_key_t, decrypt, bool,
+ private_private_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "EdDSA private key decryption not implemented");
+ return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+ private_private_key_t *this)
+{
+ return openssl_ed_keysize(this->type);
+}
+
+METHOD(private_key_t, get_type, key_type_t,
+ private_private_key_t *this)
+{
+ return this->type;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+ private_private_key_t *this)
+{
+ public_key_t *public;
+ chunk_t key;
+
+ if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &key.len))
+ {
+ return FALSE;
+ }
+ key = chunk_alloca(key.len);
+ if (!EVP_PKEY_get_raw_public_key(this->key, key.ptr, &key.len))
+ {
+ return FALSE;
+ }
+ public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, this->type,
+ BUILD_EDDSA_PUB, key, BUILD_END);
+ return public;
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+ private_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *fingerprint)
+{
+ return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+ private_private_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+ u_char *p;
+
+ if (this->engine)
+ {
+ return FALSE;
+ }
+
+ switch (type)
+ {
+ case PRIVKEY_ASN1_DER:
+ case PRIVKEY_PEM:
+ {
+ bool success = TRUE;
+
+ *encoding = chunk_alloc(i2d_PrivateKey(this->key, NULL));
+ p = encoding->ptr;
+ i2d_PrivateKey(this->key, &p);
+
+ if (type == PRIVKEY_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+ NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+ }
+ default:
+ return FALSE;
+ }
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+ private_private_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
+METHOD(private_key_t, destroy, void,
+ private_private_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this->key);
+ EVP_PKEY_free(this->key);
+ free(this);
+ }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_private_key_t *create_internal(key_type_t type, EVP_PKEY *key)
+{
+ private_private_key_t *this;
+
+ INIT(this,
+ .public = {
+ .get_type = _get_type,
+ .sign = _sign,
+ .decrypt = _decrypt,
+ .get_keysize = _get_keysize,
+ .get_public_key = _get_public_key,
+ .equals = private_key_equals,
+ .belongs_to = private_key_belongs_to,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = private_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .type = type,
+ .key = key,
+ .ref = 1,
+ );
+
+ return this;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine)
+{
+ private_private_key_t *this;
+ key_type_t type;
+
+ switch (EVP_PKEY_base_id(key))
+ {
+ case EVP_PKEY_X25519:
+ type = KEY_ED25519;
+ break;
+ case EVP_PKEY_X448:
+ type = KEY_ED448;
+ break;
+ default:
+ EVP_PKEY_free(key);
+ return NULL;
+ }
+
+ this = create_internal(type, key);
+ this->engine = engine;
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args)
+{
+ private_private_key_t *this;
+ EVP_PKEY_CTX *ctx;
+ EVP_PKEY *key = NULL;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_KEY_SIZE:
+ /* just ignore the key size */
+ va_arg(args, u_int);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ ctx = EVP_PKEY_CTX_new_id(openssl_ed_key_type(type), NULL);
+ if (!ctx ||
+ EVP_PKEY_keygen_init(ctx) <= 0 ||
+ EVP_PKEY_keygen(ctx, &key) <= 0)
+ {
+ DBG1(DBG_LIB, "generating %N key failed", key_type_names, type);
+ EVP_PKEY_CTX_free(ctx);
+ return NULL;
+ }
+ EVP_PKEY_CTX_free(ctx);
+
+ this = create_internal(type, key);
+ return &this->public;
+}
+
+/*
+ * Described in header
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args)
+{
+ private_private_key_t *this;
+ chunk_t blob = chunk_empty, priv = chunk_empty;
+ EVP_PKEY *key = NULL;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ blob = va_arg(args, chunk_t);
+ continue;
+ case BUILD_EDDSA_PRIV_ASN1_DER:
+ priv = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (priv.len)
+ {
+ /* unwrap octet string */
+ if (asn1_unwrap(&priv, &priv) == 0x04 && priv.len)
+ {
+ key = EVP_PKEY_new_raw_private_key(openssl_ed_key_type(type), NULL,
+ priv.ptr, priv.len);
+ }
+ }
+ else if (blob.len)
+ {
+ key = d2i_PrivateKey(openssl_ed_key_type(type), NULL,
+ (const u_char**)&blob.ptr, blob.len);
+ }
+ if (!key)
+ {
+ return NULL;
+ }
+ this = create_internal(type, key);
+ return &this->public;
+}
+
+#endif /* OPENSSL_NO_ECDSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h
new file mode 100644
index 000000000..ce9071348
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_private_key openssl_ed_private_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PRIVATE_KEY_H_
+#define OPENSSL_ED_PRIVATE_KEY_H_
+
+#include <openssl/evp.h>
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Generate an EdDSA private key using OpenSSL.
+ *
+ * @param type type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args builder_part_t argument list
+ * @return generated key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load an EdDSA private key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_ED25519/448
+ *
+ * @param key EVP_PKEY object (adopted)
+ * @param engine whether the key was loaded via an engine
+ * @return loaded key, NULL on failure
+ */
+private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine);
+
+#endif /** OPENSSL_ED_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c
new file mode 100644
index 000000000..2daddc57e
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+
+#include <openssl/x509.h>
+
+#include "openssl_ed_public_key.h"
+
+#include <utils/debug.h>
+
+typedef struct private_public_key_t private_public_key_t;
+
+/**
+ * Private data
+ */
+struct private_public_key_t {
+
+ /**
+ * Public interface
+ */
+ public_key_t public;
+
+ /**
+ * Key object
+ */
+ EVP_PKEY *key;
+
+ /**
+ * Key type
+ */
+ key_type_t type;
+
+ /**
+ * Reference counter
+ */
+ refcount_t ref;
+};
+
+/**
+ * Map a key type to an EVP key type
+ */
+int openssl_ed_key_type(key_type_t type)
+{
+ switch (type)
+ {
+ case KEY_ED25519:
+ return EVP_PKEY_ED25519;
+ case KEY_ED448:
+ return EVP_PKEY_ED448;
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Map a key type to a key size
+ */
+int openssl_ed_keysize(key_type_t type)
+{
+ switch (type)
+ {
+ case KEY_ED25519:
+ return 32 * 8;
+ case KEY_ED448:
+ return 57 * 8;
+ default:
+ return 0;
+ }
+}
+
+METHOD(public_key_t, get_type, key_type_t,
+ private_public_key_t *this)
+{
+ return this->type;
+}
+
+METHOD(public_key_t, verify, bool,
+ private_public_key_t *this, signature_scheme_t scheme,
+ void *params, chunk_t data, chunk_t signature)
+{
+ EVP_MD_CTX *ctx;
+
+ if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) ||
+ (this->type == KEY_ED448 && scheme != SIGN_ED448))
+ {
+ DBG1(DBG_LIB, "signature scheme %N not supported by %N key",
+ signature_scheme_names, scheme, key_type_names, this->type);
+ return FALSE;
+ }
+
+ ctx = EVP_MD_CTX_new();
+ if (!ctx ||
+ EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, this->key) <= 0 ||
+ EVP_DigestVerify(ctx, signature.ptr, signature.len,
+ data.ptr, data.len) <= 0)
+ {
+ EVP_MD_CTX_free(ctx);
+ return FALSE;
+ }
+ EVP_MD_CTX_free(ctx);
+ return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+ private_public_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+ scheme);
+ return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+ private_public_key_t *this)
+{
+ return openssl_ed_keysize(this->type);
+}
+
+/**
+ * Calculate fingerprint from an EdDSA key, also used in ed private key.
+ */
+bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type,
+ chunk_t *fp)
+{
+ hasher_t *hasher;
+ chunk_t blob;
+ u_char *p;
+
+ if (lib->encoding->get_cache(lib->encoding, type, key, fp))
+ {
+ return TRUE;
+ }
+ switch (type)
+ {
+ case KEYID_PUBKEY_SHA1:
+ if (!EVP_PKEY_get_raw_public_key(key, NULL, &blob.len))
+ {
+ return FALSE;
+ }
+ blob = chunk_alloca(blob.len);
+ if (!EVP_PKEY_get_raw_public_key(key, blob.ptr, &blob.len))
+ {
+ return FALSE;
+ }
+ break;
+ case KEYID_PUBKEY_INFO_SHA1:
+ blob = chunk_alloca(i2d_PUBKEY(key, NULL));
+ p = blob.ptr;
+ i2d_PUBKEY(key, &p);
+ break;
+ default:
+ return FALSE;
+ }
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher || !hasher->allocate_hash(hasher, blob, fp))
+ {
+ DBG1(DBG_LIB, "SHA1 not supported, fingerprinting failed");
+ DESTROY_IF(hasher);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+ lib->encoding->cache(lib->encoding, type, key, *fp);
+ return TRUE;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+ private_public_key_t *this, cred_encoding_type_t type, chunk_t *fingerprint)
+{
+ return openssl_ed_fingerprint(this->key, type, fingerprint);
+}
+
+METHOD(public_key_t, get_encoding, bool,
+ private_public_key_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+ bool success = TRUE;
+ u_char *p;
+
+ *encoding = chunk_alloc(i2d_PUBKEY(this->key, NULL));
+ p = encoding->ptr;
+ i2d_PUBKEY(this->key, &p);
+
+ if (type != PUBKEY_SPKI_ASN1_DER)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, type,
+ NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+ private_public_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
+METHOD(public_key_t, destroy, void,
+ private_public_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this->key);
+ EVP_PKEY_free(this->key);
+ free(this);
+ }
+}
+
+/**
+ * Generic private constructor
+ */
+static private_public_key_t *create_empty(key_type_t type)
+{
+ private_public_key_t *this;
+
+ INIT(this,
+ .public = {
+ .get_type = _get_type,
+ .verify = _verify,
+ .encrypt = _encrypt,
+ .get_keysize = _get_keysize,
+ .equals = public_key_equals,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = public_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .type = type,
+ .ref = 1,
+ );
+
+ return this;
+}
+
+/*
+ * Described in header
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args)
+{
+ private_public_key_t *this;
+ chunk_t blob = chunk_empty, pub = chunk_empty;
+ EVP_PKEY *key = NULL;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ blob = va_arg(args, chunk_t);
+ continue;
+ case BUILD_EDDSA_PUB:
+ pub = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (pub.len)
+ {
+ key = EVP_PKEY_new_raw_public_key(openssl_ed_key_type(type), NULL,
+ pub.ptr, pub.len);
+ }
+ else if (blob.len)
+ {
+ key = d2i_PUBKEY(NULL, (const u_char**)&blob.ptr, blob.len);
+ if (key && EVP_PKEY_base_id(key) != openssl_ed_key_type(type))
+ {
+ EVP_PKEY_free(key);
+ return NULL;
+ }
+ }
+ if (!key)
+ {
+ return NULL;
+ }
+ this = create_empty(type);
+ this->key = key;
+ return &this->public;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h
new file mode 100644
index 000000000..c4e1ba3ed
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_ed_public_key openssl_ed_public_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_ED_PUBLIC_KEY_H_
+#define OPENSSL_ED_PUBLIC_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+/**
+ * Load an EdDSA public key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type type of the key, must be KEY_ED25519 or KEY_ED448
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args);
+
+#endif /** OPENSSL_ED_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 8b0a7c5c7..cbeb6c3b7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -47,6 +47,9 @@
#include "openssl_rng.h"
#include "openssl_hmac.h"
#include "openssl_gcm.h"
+#include "openssl_x_diffie_hellman.h"
+#include "openssl_ed_public_key.h"
+#include "openssl_ed_private_key.h"
#ifndef FIPS_MODE
#define FIPS_MODE 0
@@ -307,6 +310,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
case EVP_PKEY_EC:
return openssl_ec_private_key_create(key, FALSE);
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+ case EVP_PKEY_ED25519:
+ case EVP_PKEY_ED448:
+ return openssl_ed_private_key_create(key, FALSE);
+#endif /* OPENSSL_VERSION_NUMBER */
default:
EVP_PKEY_free(key);
break;
@@ -370,7 +378,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
#ifndef OPENSSL_NO_ENGINE
char *engine_id = NULL;
char keyname[BUF_LEN];
- chunk_t keyid = chunk_empty;;
+ chunk_t keyid = chunk_empty;
EVP_PKEY *key;
ENGINE *engine;
int slot = -1;
@@ -395,7 +403,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
}
break;
}
- if (!keyid.len || keyid.len > 40)
+ if (!keyid.len)
{
return NULL;
}
@@ -405,7 +413,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
{
snprintf(keyname, sizeof(keyname), "%d:", slot);
}
- if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
+ if (sizeof(keyname) - strlen(keyname) <= keyid.len * 2 + 1)
{
return NULL;
}
@@ -428,21 +436,21 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
ENGINE_free(engine);
return NULL;
}
+ ENGINE_free(engine);
if (!login(engine, keyid))
{
DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
- ENGINE_free(engine);
+ ENGINE_finish(engine);
return NULL;
}
key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
+ ENGINE_finish(engine);
if (!key)
{
DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
"engine '%s'", keyname, engine_id);
- ENGINE_free(engine);
return NULL;
}
- ENGINE_free(engine);
switch (EVP_PKEY_base_id(key))
{
@@ -454,6 +462,11 @@ static private_key_t *openssl_private_key_connect(key_type_t type,
case EVP_PKEY_EC:
return openssl_ec_private_key_create(key, TRUE);
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+ case EVP_PKEY_ED25519:
+ case EVP_PKEY_ED448:
+ return openssl_ed_private_key_create(key, TRUE);
+#endif /* OPENSSL_VERSION_NUMBER */
default:
EVP_PKEY_free(key);
break;
@@ -594,7 +607,7 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(DH, ECP_384_BP),
PLUGIN_PROVIDE(DH, ECP_512_BP),
PLUGIN_PROVIDE(DH, ECP_224_BP),
-#endif
+#endif /* OPENSSL_NO_ECDH */
#ifndef OPENSSL_NO_DH
/* MODP DH groups */
PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
@@ -699,6 +712,30 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
#endif
#endif /* OPENSSL_NO_ECDSA */
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC)
+ PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create),
+ /* available since 1.1.0a, but we require 1.1.1 features */
+ PLUGIN_PROVIDE(DH, CURVE_25519),
+ /* available since 1.1.1 */
+ PLUGIN_PROVIDE(DH, CURVE_448),
+ /* EdDSA private/public key loading */
+ PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED448),
+ PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
+ PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+ PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448),
+ /* register a pro forma identity hasher, never instantiated */
+ PLUGIN_REGISTER(HASHER, return_null),
+ PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */
/* generic key loader */
PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index a25b6b4b6..d3993749f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2012-2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2012 Aleksandr Grinberg
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -24,7 +27,6 @@
#include <utils/debug.h>
#include <openssl/rand.h>
-#include <openssl/err.h>
#include "openssl_rng.h"
@@ -49,6 +51,13 @@ struct private_openssl_rng_t {
METHOD(rng_t, get_bytes, bool,
private_openssl_rng_t *this, size_t bytes, uint8_t *buffer)
{
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
+ if (this->quality > RNG_WEAK)
+ { /* use a separate DRBG for data we want to keep private, compared
+ * to e.g. nonces */
+ return RAND_priv_bytes((char*)buffer, bytes) == 1;
+ }
+#endif
return RAND_bytes((char*)buffer, bytes) == 1;
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 401a51a0b..8a9fdfe25 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -103,13 +103,8 @@ static bool build_signature(private_openssl_rsa_private_key_t *this,
if (pss)
{
const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash);
- int slen = EVP_MD_size(md);
- if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- slen = pss->salt_len;
- }
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
- EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 ||
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 ||
EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0)
{
goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 20bf30ae9..38b4eda35 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -95,13 +95,8 @@ static bool verify_signature(private_openssl_rsa_public_key_t *this,
if (pss)
{
const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash);
- int slen = EVP_MD_size(md);
- if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
- {
- slen = pss->salt_len;
- }
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
- EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 ||
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 ||
EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0)
{
goto error;
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index b7f969f73..f99dcd6b1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -26,6 +26,7 @@
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define OBJ_get0_data(o) ((o)->data)
#define OBJ_length(o) ((o)->length)
+#define ASN1_STRING_get0_data(a) ASN1_STRING_data((ASN1_STRING*)a)
#endif
/**
@@ -164,11 +165,12 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1)
/**
* Described in header.
*/
-chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1)
+chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1)
{
if (asn1)
{
- return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1));
+ return chunk_create((u_char*)ASN1_STRING_get0_data(asn1),
+ ASN1_STRING_length(asn1));
}
return chunk_empty;
}
@@ -212,7 +214,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj)
/**
* Described in header.
*/
-time_t openssl_asn1_to_time(ASN1_TIME *time)
+time_t openssl_asn1_to_time(const ASN1_TIME *time)
{
chunk_t chunk;
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 80e557fa8..4afe76bf2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -109,7 +109,7 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1);
* @param asn1 asn1 string to convert
* @return chunk, pointing into asn1 string
*/
-chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1);
+chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1);
/**
* Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN.
@@ -133,7 +133,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
* @param time openssl ASN1_TIME
* @returns time_t, 0 on error
*/
-time_t openssl_asn1_to_time(ASN1_TIME *time);
+time_t openssl_asn1_to_time(const ASN1_TIME *time);
/**
* Compatibility macros
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index fae2d678f..fe21b0221 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -389,7 +389,11 @@ METHOD(certificate_t, issued_by, bool,
public_key_t *key;
bool valid;
x509_t *x509 = (x509_t*)issuer;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const ASN1_BIT_STRING *sig;
+#else
ASN1_BIT_STRING *sig;
+#endif
chunk_t tbs;
if (&this->public.x509.interface == issuer)
@@ -993,7 +997,7 @@ static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this,
*/
static bool parse_extensions(private_openssl_x509_t *this)
{
- STACK_OF(X509_EXTENSION) *extensions;
+ const STACK_OF(X509_EXTENSION) *extensions;
int i, num;
/* unless we see a keyUsage extension we are compliant with RFC 4945 */
@@ -1077,7 +1081,11 @@ static bool parse_certificate(private_openssl_x509_t *this)
hasher_t *hasher;
chunk_t chunk, sig_scheme, sig_scheme_tbs;
ASN1_OBJECT *oid;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const X509_ALGOR *alg;
+#else
X509_ALGOR *alg;
+#endif
this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
if (!this->x509)
@@ -1135,9 +1143,9 @@ static bool parse_certificate(private_openssl_x509_t *this)
/* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL
* versions, at least on Ubuntu 14.04 it is not actually defined */
X509_get0_signature(NULL, &alg, this->x509);
- sig_scheme = openssl_i2chunk(X509_ALGOR, alg);
+ sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
alg = X509_get0_tbs_sigalg(this->x509);
- sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg);
+ sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg);
if (!chunk_equals(sig_scheme, sig_scheme_tbs))
{
free(sig_scheme_tbs.ptr);
diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c
new file mode 100644
index 000000000..37943f5bf
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/evp.h>
+
+/* basic support for X25519 was added with 1.1.0a, but we require features (e.g.
+ * to load the keys) that were only added with 1.1.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH)
+
+#include "openssl_x_diffie_hellman.h"
+
+#include <utils/debug.h>
+
+typedef struct private_diffie_hellman_t private_diffie_hellman_t;
+
+/**
+ * Private data
+ */
+struct private_diffie_hellman_t {
+ /**
+ * Public interface.
+ */
+ diffie_hellman_t public;
+
+ /**
+ * Diffie Hellman group number.
+ */
+ diffie_hellman_group_t group;
+
+ /**
+ * Private (public) key
+ */
+ EVP_PKEY *key;
+
+ /**
+ * Shared secret
+ */
+ chunk_t shared_secret;
+
+ /**
+ * True if shared secret is computed
+ */
+ bool computed;
+};
+
+/**
+ * Map a DH group to a key type
+ */
+static int map_key_type(diffie_hellman_group_t group)
+{
+ switch (group)
+ {
+ case CURVE_25519:
+ return EVP_PKEY_X25519;
+ case CURVE_448:
+ return EVP_PKEY_X448;
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Compute the shared secret
+ */
+static bool compute_shared_key(private_diffie_hellman_t *this, EVP_PKEY *pub,
+ chunk_t *shared_secret)
+{
+ EVP_PKEY_CTX *ctx;
+ bool success = FALSE;
+
+ ctx = EVP_PKEY_CTX_new(this->key, NULL);
+ if (!ctx)
+ {
+ return FALSE;
+ }
+
+ if (EVP_PKEY_derive_init(ctx) <= 0)
+ {
+ goto error;
+ }
+
+ if (EVP_PKEY_derive_set_peer(ctx, pub) <= 0)
+ {
+ goto error;
+ }
+
+ if (EVP_PKEY_derive(ctx, NULL, &shared_secret->len) <= 0)
+ {
+ goto error;
+ }
+
+ *shared_secret = chunk_alloc(shared_secret->len);
+
+ if (EVP_PKEY_derive(ctx, shared_secret->ptr, &shared_secret->len) <= 0)
+ {
+ goto error;
+ }
+
+ success = TRUE;
+
+error:
+ EVP_PKEY_CTX_free(ctx);
+ return success;
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+ private_diffie_hellman_t *this, chunk_t value)
+{
+ EVP_PKEY *pub;
+
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
+ pub = EVP_PKEY_new_raw_public_key(map_key_type(this->group), NULL,
+ value.ptr, value.len);
+ if (!pub)
+ {
+ DBG1(DBG_LIB, "%N public value is malformed",
+ diffie_hellman_group_names, this->group);
+ return FALSE;
+ }
+
+ chunk_clear(&this->shared_secret);
+
+ if (!compute_shared_key(this, pub, &this->shared_secret))
+ {
+ DBG1(DBG_LIB, "%N shared secret computation failed",
+ diffie_hellman_group_names, this->group);
+ EVP_PKEY_free(pub);
+ return FALSE;
+ }
+ this->computed = TRUE;
+ EVP_PKEY_free(pub);
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+ private_diffie_hellman_t *this, chunk_t *value)
+{
+ size_t len;
+
+ if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &len))
+ {
+ return FALSE;
+ }
+
+ *value = chunk_alloc(len);
+
+ if (!EVP_PKEY_get_raw_public_key(this->key, value->ptr, &value->len))
+ {
+ chunk_free(value);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, set_private_value, bool,
+ private_diffie_hellman_t *this, chunk_t value)
+{
+ EVP_PKEY_free(this->key);
+ this->key = EVP_PKEY_new_raw_private_key(map_key_type(this->group), NULL,
+ value.ptr, value.len);
+ if (!this->key)
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+ private_diffie_hellman_t *this, chunk_t *secret)
+{
+ if (!this->computed)
+ {
+ return FALSE;
+ }
+ *secret = chunk_clone(this->shared_secret);
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+ private_diffie_hellman_t *this)
+{
+ return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+ private_diffie_hellman_t *this)
+{
+ EVP_PKEY_free(this->key);
+ chunk_clear(&this->shared_secret);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group)
+{
+ private_diffie_hellman_t *this;
+ EVP_PKEY_CTX *ctx = NULL;
+ EVP_PKEY *key = NULL;
+
+ switch (group)
+ {
+ case CURVE_25519:
+ ctx = EVP_PKEY_CTX_new_id(NID_X25519, NULL);
+ break;
+ case CURVE_448:
+ ctx = EVP_PKEY_CTX_new_id(NID_X448, NULL);
+ break;
+ default:
+ break;
+ }
+
+ if (!ctx ||
+ EVP_PKEY_keygen_init(ctx) <= 0 ||
+ EVP_PKEY_keygen(ctx, &key) <= 0)
+ {
+ DBG1(DBG_LIB, "generating key for %N failed",
+ diffie_hellman_group_names, group);
+ EVP_PKEY_CTX_free(ctx);
+ return NULL;
+ }
+ EVP_PKEY_CTX_free(ctx);
+
+ INIT(this,
+ .public = {
+ .get_shared_secret = _get_shared_secret,
+ .set_other_public_value = _set_other_public_value,
+ .get_my_public_value = _get_my_public_value,
+ .set_private_value = _set_private_value,
+ .get_dh_group = _get_dh_group,
+ .destroy = _destroy,
+ },
+ .group = group,
+ .key = key,
+ );
+ return &this->public;
+}
+
+#endif /* OPENSSL_NO_ECDH */
diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h
new file mode 100644
index 000000000..e28f38d15
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implementation of the X25519/X448 Diffie-Hellman algorithm using OpenSSL.
+ *
+ * @defgroup openssl_x_diffie_hellman openssl_x_diffie_hellman
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_X_DIFFIE_HELLMAN_H_
+#define OPENSSL_X_DIFFIE_HELLMAN_H_
+
+#include <library.h>
+
+/**
+ * Creates a new diffie_hellman_t object.
+ *
+ * @param group Diffie Hellman group number to use
+ * @return object, NULL if not supported
+ */
+diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /** OPENSSL_X_DIFFIE_HELLMAN_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
index eab6559b3..934514249 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2014 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -89,6 +89,34 @@ static sshkey_public_key_t *parse_public_key(chunk_t blob)
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
}
+ else if (chunk_equals(format, chunk_from_str("ssh-ed25519")))
+ {
+ chunk_t blob;
+
+ if (!reader->read_data32(reader, &blob))
+ {
+ DBG1(DBG_LIB, "invalid Ed25519 key in SSH key");
+ reader->destroy(reader);
+ return NULL;
+ }
+ reader->destroy(reader);
+ return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_EDDSA_PUB, blob, BUILD_END);
+ }
+ else if (chunk_equals(format, chunk_from_str("ssh-ed448")))
+ {
+ chunk_t blob;
+
+ if (!reader->read_data32(reader, &blob))
+ {
+ DBG1(DBG_LIB, "invalid Ed448 key in SSH key");
+ reader->destroy(reader);
+ return NULL;
+ }
+ reader->destroy(reader);
+ return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_EDDSA_PUB, blob, BUILD_END);
+ }
else if (format.len > strlen(ECDSA_PREFIX) &&
strpfx(format.ptr, ECDSA_PREFIX))
{
@@ -140,8 +168,9 @@ static sshkey_public_key_t *load_from_stream(FILE *file)
char line[1024], *token;
while (!public && fgets(line, sizeof(line), file))
- { /* the format is: ssh-rsa|ecdsa-... <key(base64)> <identifier> */
- if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX))
+ { /* the format is: ssh-<key-type> <key(base64)> <identifier> */
+ if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX) &&
+ !strpfx(line, "ssh-ed25519") && !strpfx(line, "ssh-ed448"))
{
continue;
}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
index 9f5f8bd1f..ed35fc010 100644
--- a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
+++ b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -72,6 +72,42 @@ static bool build_public_key(chunk_t *encoding, va_list args)
writer->destroy(writer);
return TRUE;
}
+ else if (cred_encoding_args(args, CRED_PART_EDDSA_PUB_ASN1_DER, &n,
+ CRED_PART_END))
+ {
+ chunk_t alg;
+ char *prefix;
+ int oid;
+
+ /* parse subjectPublicKeyInfo */
+ if (asn1_unwrap(&n, &n) != ASN1_SEQUENCE)
+ {
+ return FALSE;
+ }
+ oid = asn1_parse_algorithmIdentifier(n, 1, NULL);
+ switch (oid)
+ {
+ case OID_ED25519:
+ prefix = "ssh-ed25519";
+ break;
+ case OID_ED448:
+ prefix = "ssh-ed448";
+ break;
+ default:
+ return FALSE;
+ }
+ if (asn1_unwrap(&n, &alg) != ASN1_SEQUENCE ||
+ asn1_unwrap(&n, &n) != ASN1_BIT_STRING || !n.len)
+ {
+ return FALSE;
+ }
+ writer = bio_writer_create(0);
+ writer->write_data32(writer, chunk_from_str(prefix));
+ writer->write_data32(writer, chunk_skip(n, 1));
+ *encoding = chunk_to_base64(writer->get_buf(writer), NULL);
+ writer->destroy(writer);
+ return TRUE;
+ }
else if (cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER, &n,
CRED_PART_END))
{
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index c4d9f2fc5..3d34cf7c9 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -49,6 +49,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/ecp.c \
test_vectors/ecpbp.c \
test_vectors/curve25519.c \
+ test_vectors/curve448.c \
test_vectors/rng.c
libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 7f6c319c6..ed3ae0f40 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -156,7 +156,8 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
test_vectors/sha3_shake.lo test_vectors/fips_prf.lo \
test_vectors/modp.lo test_vectors/modpsub.lo \
test_vectors/ecp.lo test_vectors/ecpbp.lo \
- test_vectors/curve25519.lo test_vectors/rng.lo
+ test_vectors/curve25519.lo test_vectors/curve448.lo \
+ test_vectors/rng.lo
libstrongswan_test_vectors_la_OBJECTS = \
$(am_libstrongswan_test_vectors_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
@@ -518,6 +519,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/ecp.c \
test_vectors/ecpbp.c \
test_vectors/curve25519.c \
+ test_vectors/curve448.c \
test_vectors/rng.c
libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
@@ -680,6 +682,8 @@ test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/curve25519.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/curve448.lo: test_vectors/$(am__dirstamp) \
+ test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/rng.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
@@ -710,6 +714,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20_xof.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20poly1305.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve25519.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve448.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/des.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecp.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecpbp.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 7ab965a82..7c8ac0c6e 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -116,6 +116,7 @@ TEST_VECTOR_AEAD(aes_gcm23)
TEST_VECTOR_AEAD(chacha20poly1305_1)
TEST_VECTOR_AEAD(chacha20poly1305_2)
TEST_VECTOR_AEAD(chacha20poly1305_3)
+TEST_VECTOR_AEAD(chacha20poly1305_4)
TEST_VECTOR_SIGNER(aes_xcbc_s1)
TEST_VECTOR_SIGNER(aes_xcbc_s2)
@@ -305,3 +306,4 @@ TEST_VECTOR_DH(ecp384bp)
TEST_VECTOR_DH(ecp512bp)
TEST_VECTOR_DH(curve25519_1)
TEST_VECTOR_DH(curve25519_2)
+TEST_VECTOR_DH(curve448_1)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
index 21726cbbb..dcbfe5ca3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c
@@ -16,10 +16,40 @@
#include <crypto/crypto_tester.h>
/**
- * From draft-irtf-cfrg-chacha20-poly1305
+ * From RFC 7539
*/
aead_test_vector_t chacha20poly1305_1 = {
.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
+ .len = 114, .alen = 12,
+ .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
+ "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
+ "\x07\x00\x00\x00",
+ .iv = "\x40\x41\x42\x43\x44\x45\x46\x47",
+ .adata = "\x50\x51\x52\x53\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7",
+ .plain = "\x4c\x61\x64\x69\x65\x73\x20\x61\x6e\x64\x20\x47\x65\x6e\x74\x6c"
+ "\x65\x6d\x65\x6e\x20\x6f\x66\x20\x74\x68\x65\x20\x63\x6c\x61\x73"
+ "\x73\x20\x6f\x66\x20\x27\x39\x39\x3a\x20\x49\x66\x20\x49\x20\x63"
+ "\x6f\x75\x6c\x64\x20\x6f\x66\x66\x65\x72\x20\x79\x6f\x75\x20\x6f"
+ "\x6e\x6c\x79\x20\x6f\x6e\x65\x20\x74\x69\x70\x20\x66\x6f\x72\x20"
+ "\x74\x68\x65\x20\x66\x75\x74\x75\x72\x65\x2c\x20\x73\x75\x6e\x73"
+ "\x63\x72\x65\x65\x6e\x20\x77\x6f\x75\x6c\x64\x20\x62\x65\x20\x69"
+ "\x74\x2e",
+ .cipher = "\xd3\x1a\x8d\x34\x64\x8e\x60\xdb\x7b\x86\xaf\xbc\x53\xef\x7e\xc2"
+ "\xa4\xad\xed\x51\x29\x6e\x08\xfe\xa9\xe2\xb5\xa7\x36\xee\x62\xd6"
+ "\x3d\xbe\xa4\x5e\x8c\xa9\x67\x12\x82\xfa\xfb\x69\xda\x92\x72\x8b"
+ "\x1a\x71\xde\x0a\x9e\x06\x0b\x29\x05\xd6\xa5\xb6\x7e\xcd\x3b\x36"
+ "\x92\xdd\xbd\x7f\x2d\x77\x8b\x8c\x98\x03\xae\xe3\x28\x09\x1b\x58"
+ "\xfa\xb3\x24\xe4\xfa\xd6\x75\x94\x55\x85\x80\x8b\x48\x31\xd7\xbc"
+ "\x3f\xf4\xde\xf0\x8e\x4b\x7a\x9d\xe5\x76\xd2\x65\x86\xce\xc6\x4b"
+ "\x61\x16\x1a\xe1\x0b\x59\x4f\x09\xe2\x6a\x7e\x90\x2e\xcb\xd0\x60"
+ "\x06\x91",
+};
+
+/**
+ * Additional test vector from RFC 7539
+ */
+aead_test_vector_t chacha20poly1305_2 = {
+ .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
.len = 265, .alen = 12,
.key = "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
"\x47\x39\x17\xc1\x40\x2b\x80\x09\x9d\xca\x5c\xbc\x20\x70\x75\xc0"
@@ -64,9 +94,9 @@ aead_test_vector_t chacha20poly1305_1 = {
};
/**
- * ESP example from draft-ietf-ipsecme-chacha20-poly1305-06
+ * ESP example from RFC 7634
*/
-aead_test_vector_t chacha20poly1305_2 = {
+aead_test_vector_t chacha20poly1305_3 = {
.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
.len = 88, .alen = 8,
.key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
@@ -90,9 +120,9 @@ aead_test_vector_t chacha20poly1305_2 = {
};
/**
- * IKEv2 example from draft-ietf-ipsecme-chacha20-poly1305-06
+ * IKEv2 example from RFC 7634
*/
-aead_test_vector_t chacha20poly1305_3 = {
+aead_test_vector_t chacha20poly1305_4 = {
.alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4,
.len = 13, .alen = 32,
.key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
index 676fcfc5a..23c024a37 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
@@ -16,7 +16,7 @@
#include <crypto/crypto_tester.h>
/**
- * From RFC 8037
+ * From RFC 7748
*/
dh_test_vector_t curve25519_1 = {
.group = CURVE_25519, .priv_len = 32, .pub_len = 32, .shared_len = 32,
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c
new file mode 100644
index 000000000..fccbb808a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From RFC 7748
+ */
+dh_test_vector_t curve448_1 = {
+ .group = CURVE_448, .priv_len = 56, .pub_len = 56, .shared_len = 56,
+ .priv_a = "\x9a\x8f\x49\x25\xd1\x51\x9f\x57\x75\xcf\x46\xb0\x4b\x58\x00\xd4"
+ "\xee\x9e\xe8\xba\xe8\xbc\x55\x65\xd4\x98\xc2\x8d\xd9\xc9\xba\xf5"
+ "\x74\xa9\x41\x97\x44\x89\x73\x91\x00\x63\x82\xa6\xf1\x27\xab\x1d"
+ "\x9a\xc2\xd8\xc0\xa5\x98\x72\x6b",
+ .priv_b = "\x1c\x30\x6a\x7a\xc2\xa0\xe2\xe0\x99\x0b\x29\x44\x70\xcb\xa3\x39"
+ "\xe6\x45\x37\x72\xb0\x75\x81\x1d\x8f\xad\x0d\x1d\x69\x27\xc1\x20"
+ "\xbb\x5e\xe8\x97\x2b\x0d\x3e\x21\x37\x4c\x9c\x92\x1b\x09\xd1\xb0"
+ "\x36\x6f\x10\xb6\x51\x73\x99\x2d",
+ .pub_a = "\x9b\x08\xf7\xcc\x31\xb7\xe3\xe6\x7d\x22\xd5\xae\xa1\x21\x07\x4a"
+ "\x27\x3b\xd2\xb8\x3d\xe0\x9c\x63\xfa\xa7\x3d\x2c\x22\xc5\xd9\xbb"
+ "\xc8\x36\x64\x72\x41\xd9\x53\xd4\x0c\x5b\x12\xda\x88\x12\x0d\x53"
+ "\x17\x7f\x80\xe5\x32\xc4\x1f\xa0",
+ .pub_b = "\x3e\xb7\xa8\x29\xb0\xcd\x20\xf5\xbc\xfc\x0b\x59\x9b\x6f\xec\xcf"
+ "\x6d\xa4\x62\x71\x07\xbd\xb0\xd4\xf3\x45\xb4\x30\x27\xd8\xb9\x72"
+ "\xfc\x3e\x34\xfb\x42\x32\xa1\x3c\xa7\x06\xdc\xb5\x7a\xec\x3d\xae"
+ "\x07\xbd\xc1\xc6\x7b\xf3\x36\x09",
+ .shared = "\x07\xff\xf4\x18\x1a\xc6\xcc\x95\xec\x1c\x16\xa9\x4a\x0f\x74\xd1"
+ "\x2d\xa2\x32\xce\x40\xa7\x75\x52\x28\x1d\x28\x2b\xb6\x0c\x0b\x56"
+ "\xfd\x24\x64\xc3\x35\x54\x39\x36\x52\x1c\x24\x40\x30\x85\xd5\x9a"
+ "\x44\x9a\x50\x37\x51\x4a\x87\x9d",
+};
diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c
index c29dfa57b..a88a58f0e 100644
--- a/src/libstrongswan/settings/settings_lexer.c
+++ b/src/libstrongswan/settings/settings_lexer.c
@@ -7,7 +7,6 @@
/* A lexical scanner generated by flex */
/* %not-for-header */
-
/* %if-c-only */
/* %if-not-reentrant */
/* %endif */
@@ -17,7 +16,7 @@
#define FLEX_SCANNER
#define YY_FLEX_MAJOR_VERSION 2
#define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 0
+#define YY_FLEX_SUBMINOR_VERSION 4
#if YY_FLEX_SUBMINOR_VERSION > 0
#define FLEX_BETA
#endif
@@ -26,9 +25,230 @@
/* %endif */
/* %if-c-only */
-
+#ifdef yy_create_buffer
+#define settings_parser__create_buffer_ALREADY_DEFINED
+#else
+#define yy_create_buffer settings_parser__create_buffer
+#endif
+
+#ifdef yy_delete_buffer
+#define settings_parser__delete_buffer_ALREADY_DEFINED
+#else
+#define yy_delete_buffer settings_parser__delete_buffer
+#endif
+
+#ifdef yy_scan_buffer
+#define settings_parser__scan_buffer_ALREADY_DEFINED
+#else
+#define yy_scan_buffer settings_parser__scan_buffer
+#endif
+
+#ifdef yy_scan_string
+#define settings_parser__scan_string_ALREADY_DEFINED
+#else
+#define yy_scan_string settings_parser__scan_string
+#endif
+
+#ifdef yy_scan_bytes
+#define settings_parser__scan_bytes_ALREADY_DEFINED
+#else
+#define yy_scan_bytes settings_parser__scan_bytes
+#endif
+
+#ifdef yy_init_buffer
+#define settings_parser__init_buffer_ALREADY_DEFINED
+#else
+#define yy_init_buffer settings_parser__init_buffer
+#endif
+
+#ifdef yy_flush_buffer
+#define settings_parser__flush_buffer_ALREADY_DEFINED
+#else
+#define yy_flush_buffer settings_parser__flush_buffer
+#endif
+
+#ifdef yy_load_buffer_state
+#define settings_parser__load_buffer_state_ALREADY_DEFINED
+#else
+#define yy_load_buffer_state settings_parser__load_buffer_state
+#endif
+
+#ifdef yy_switch_to_buffer
+#define settings_parser__switch_to_buffer_ALREADY_DEFINED
+#else
+#define yy_switch_to_buffer settings_parser__switch_to_buffer
+#endif
+
+#ifdef yypush_buffer_state
+#define settings_parser_push_buffer_state_ALREADY_DEFINED
+#else
+#define yypush_buffer_state settings_parser_push_buffer_state
+#endif
+
+#ifdef yypop_buffer_state
+#define settings_parser_pop_buffer_state_ALREADY_DEFINED
+#else
+#define yypop_buffer_state settings_parser_pop_buffer_state
+#endif
+
+#ifdef yyensure_buffer_stack
+#define settings_parser_ensure_buffer_stack_ALREADY_DEFINED
+#else
+#define yyensure_buffer_stack settings_parser_ensure_buffer_stack
+#endif
+
+#ifdef yylex
+#define settings_parser_lex_ALREADY_DEFINED
+#else
+#define yylex settings_parser_lex
+#endif
+
+#ifdef yyrestart
+#define settings_parser_restart_ALREADY_DEFINED
+#else
+#define yyrestart settings_parser_restart
+#endif
+
+#ifdef yylex_init
+#define settings_parser_lex_init_ALREADY_DEFINED
+#else
+#define yylex_init settings_parser_lex_init
+#endif
+
+#ifdef yylex_init_extra
+#define settings_parser_lex_init_extra_ALREADY_DEFINED
+#else
+#define yylex_init_extra settings_parser_lex_init_extra
+#endif
+
+#ifdef yylex_destroy
+#define settings_parser_lex_destroy_ALREADY_DEFINED
+#else
+#define yylex_destroy settings_parser_lex_destroy
+#endif
+
+#ifdef yyget_debug
+#define settings_parser_get_debug_ALREADY_DEFINED
+#else
+#define yyget_debug settings_parser_get_debug
+#endif
+
+#ifdef yyset_debug
+#define settings_parser_set_debug_ALREADY_DEFINED
+#else
+#define yyset_debug settings_parser_set_debug
+#endif
+
+#ifdef yyget_extra
+#define settings_parser_get_extra_ALREADY_DEFINED
+#else
+#define yyget_extra settings_parser_get_extra
+#endif
+
+#ifdef yyset_extra
+#define settings_parser_set_extra_ALREADY_DEFINED
+#else
+#define yyset_extra settings_parser_set_extra
+#endif
+
+#ifdef yyget_in
+#define settings_parser_get_in_ALREADY_DEFINED
+#else
+#define yyget_in settings_parser_get_in
+#endif
+
+#ifdef yyset_in
+#define settings_parser_set_in_ALREADY_DEFINED
+#else
+#define yyset_in settings_parser_set_in
+#endif
+
+#ifdef yyget_out
+#define settings_parser_get_out_ALREADY_DEFINED
+#else
+#define yyget_out settings_parser_get_out
+#endif
+
+#ifdef yyset_out
+#define settings_parser_set_out_ALREADY_DEFINED
+#else
+#define yyset_out settings_parser_set_out
+#endif
+
+#ifdef yyget_leng
+#define settings_parser_get_leng_ALREADY_DEFINED
+#else
+#define yyget_leng settings_parser_get_leng
+#endif
+
+#ifdef yyget_text
+#define settings_parser_get_text_ALREADY_DEFINED
+#else
+#define yyget_text settings_parser_get_text
+#endif
+
+#ifdef yyget_lineno
+#define settings_parser_get_lineno_ALREADY_DEFINED
+#else
+#define yyget_lineno settings_parser_get_lineno
+#endif
+
+#ifdef yyset_lineno
+#define settings_parser_set_lineno_ALREADY_DEFINED
+#else
+#define yyset_lineno settings_parser_set_lineno
+#endif
+
+#ifdef yyget_column
+#define settings_parser_get_column_ALREADY_DEFINED
+#else
+#define yyget_column settings_parser_get_column
+#endif
+
+#ifdef yyset_column
+#define settings_parser_set_column_ALREADY_DEFINED
+#else
+#define yyset_column settings_parser_set_column
+#endif
+
+#ifdef yywrap
+#define settings_parser_wrap_ALREADY_DEFINED
+#else
+#define yywrap settings_parser_wrap
+#endif
+
/* %endif */
+#ifdef yyget_lval
+#define settings_parser_get_lval_ALREADY_DEFINED
+#else
+#define yyget_lval settings_parser_get_lval
+#endif
+
+#ifdef yyset_lval
+#define settings_parser_set_lval_ALREADY_DEFINED
+#else
+#define yyset_lval settings_parser_set_lval
+#endif
+
+#ifdef yyalloc
+#define settings_parser_alloc_ALREADY_DEFINED
+#else
+#define yyalloc settings_parser_alloc
+#endif
+
+#ifdef yyrealloc
+#define settings_parser_realloc_ALREADY_DEFINED
+#else
+#define yyrealloc settings_parser_realloc
+#endif
+
+#ifdef yyfree
+#define settings_parser_free_ALREADY_DEFINED
+#else
+#define yyfree settings_parser_free
+#endif
+
/* %if-c-only */
/* %endif */
@@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t;
#define UINT32_MAX (4294967295U)
#endif
+#ifndef SIZE_MAX
+#define SIZE_MAX (~(size_t)0)
+#endif
+
#endif /* ! C99 */
#endif /* ! FLEXINT_H */
/* %endif */
+/* begin standard C++ headers. */
/* %if-c++-only */
/* %endif */
-#ifdef __cplusplus
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else /* ! __cplusplus */
-
-/* C99 requires __STDC__ to be defined as 1. */
-#if defined (__STDC__)
-
-#define YY_USE_CONST
-
-#endif /* defined (__STDC__) */
-#endif /* ! __cplusplus */
-
-#ifdef YY_USE_CONST
+/* TODO: this is always defined, so inline it */
#define yyconst const
+
+#if defined(__GNUC__) && __GNUC__ >= 3
+#define yynoreturn __attribute__((__noreturn__))
#else
-#define yyconst
+#define yynoreturn
#endif
/* %not-for-header */
-
/* Returned upon end-of-file. */
#define YY_NULL 0
/* %ok-for-header */
/* %not-for-header */
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index. If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
+/* Promotes a possibly negative, possibly signed char to an
+ * integer in range [0..255] for use as an array index.
*/
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
/* %ok-for-header */
/* %if-reentrant */
@@ -183,20 +392,16 @@ typedef void* yyscan_t;
* definition of BEGIN.
*/
#define BEGIN yyg->yy_start = 1 + 2 *
-
/* Translate the current start state into a value that can be later handed
* to BEGIN to return to the state. The YYSTATE alias is for lex
* compatibility.
*/
#define YY_START ((yyg->yy_start - 1) / 2)
#define YYSTATE YY_START
-
/* Action number for EOF rule of a given start state. */
#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE settings_parser_restart(yyin ,yyscanner )
-
+#define YY_NEW_FILE yyrestart( yyin , yyscanner )
#define YY_END_OF_BUFFER_CHAR 0
/* Size of default input buffer. */
@@ -237,10 +442,10 @@ typedef size_t yy_size_t;
#define EOB_ACT_CONTINUE_SCAN 0
#define EOB_ACT_END_OF_FILE 1
#define EOB_ACT_LAST_MATCH 2
-
+
/* Note: We specifically omit the test for yy_rule_can_match_eol because it requires
* access to the local variable yy_act. Since yyless() is a macro, it would break
- * existing scanners that call yyless() from OUTSIDE settings_parser_lex.
+ * existing scanners that call yyless() from OUTSIDE yylex.
* One obvious solution it to make yy_act a global. I tried that, and saw
* a 5% performance hit in a non-yylineno scanner, because yy_act is
* normally declared as a register variable-- so it is not worth it.
@@ -273,7 +478,6 @@ typedef size_t yy_size_t;
YY_DO_BEFORE_ACTION; /* set up yytext again */ \
} \
while ( 0 )
-
#define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner )
#ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -293,7 +497,7 @@ struct yy_buffer_state
/* Size of input buffer in bytes, not including room for EOB
* characters.
*/
- yy_size_t yy_buf_size;
+ int yy_buf_size;
/* Number of characters read into yy_ch_buf, not including EOB
* characters.
@@ -321,7 +525,7 @@ struct yy_buffer_state
int yy_bs_lineno; /**< The line count. */
int yy_bs_column; /**< The column count. */
-
+
/* Whether to try to fill the input buffer when we reach the
* end of it.
*/
@@ -338,7 +542,7 @@ struct yy_buffer_state
* possible backing-up.
*
* When we actually see the EOF, we change the status to "new"
- * (via settings_parser_restart()), so that the user can continue scanning by
+ * (via yyrestart()), so that the user can continue scanning by
* just pointing yyin at a new input file.
*/
#define YY_BUFFER_EOF_PENDING 2
@@ -348,7 +552,6 @@ struct yy_buffer_state
/* %if-c-only Standard (non-C++) definition */
/* %not-for-header */
-
/* %if-not-reentrant */
/* %endif */
/* %ok-for-header */
@@ -364,7 +567,6 @@ struct yy_buffer_state
#define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \
? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \
: NULL)
-
/* Same as previous macro, but useful when we know that the buffer stack is not
* NULL or when we need an lvalue. For internal use only.
*/
@@ -374,57 +576,52 @@ struct yy_buffer_state
/* %if-not-reentrant */
/* %not-for-header */
-
/* %ok-for-header */
/* %endif */
-void settings_parser_restart (FILE *input_file ,yyscan_t yyscanner );
-void settings_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner );
-void settings_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void settings_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-void settings_parser_pop_buffer_state (yyscan_t yyscanner );
-
-static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner );
-static void settings_parser__load_buffer_state (yyscan_t yyscanner );
-static void settings_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner );
+void yyrestart ( FILE *input_file , yyscan_t yyscanner );
+void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner );
+void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+void yypop_buffer_state ( yyscan_t yyscanner );
-#define YY_FLUSH_BUFFER settings_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner)
+static void yyensure_buffer_stack ( yyscan_t yyscanner );
+static void yy_load_buffer_state ( yyscan_t yyscanner );
+static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner );
+#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner)
-YY_BUFFER_STATE settings_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner );
-YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner );
/* %endif */
-void *settings_parser_alloc (yy_size_t ,yyscan_t yyscanner );
-void *settings_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner );
-void settings_parser_free (void * ,yyscan_t yyscanner );
-
-#define yy_new_buffer settings_parser__create_buffer
+void *yyalloc ( yy_size_t , yyscan_t yyscanner );
+void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner );
+void yyfree ( void * , yyscan_t yyscanner );
+#define yy_new_buffer yy_create_buffer
#define yy_set_interactive(is_interactive) \
{ \
if ( ! YY_CURRENT_BUFFER ){ \
- settings_parser_ensure_buffer_stack (yyscanner); \
+ yyensure_buffer_stack (yyscanner); \
YY_CURRENT_BUFFER_LVALUE = \
- settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
} \
YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
}
-
#define yy_set_bol(at_bol) \
{ \
if ( ! YY_CURRENT_BUFFER ){\
- settings_parser_ensure_buffer_stack (yyscanner); \
+ yyensure_buffer_stack (yyscanner); \
YY_CURRENT_BUFFER_LVALUE = \
- settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
} \
YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
}
-
#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
/* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */
@@ -434,8 +631,7 @@ void settings_parser_free (void * ,yyscan_t yyscanner );
#define YY_SKIP_YYWRAP
#define FLEX_DEBUG
-
-typedef unsigned char YY_CHAR;
+typedef flex_uint8_t YY_CHAR;
typedef int yy_state_type;
@@ -445,13 +641,10 @@ typedef int yy_state_type;
/* %if-c-only Standard (non-C++) definition */
-static yy_state_type yy_get_previous_state (yyscan_t yyscanner );
-static yy_state_type yy_try_NUL_trans (yy_state_type current_state ,yyscan_t yyscanner);
-static int yy_get_next_buffer (yyscan_t yyscanner );
-#if defined(__GNUC__) && __GNUC__ >= 3
-__attribute__((__noreturn__))
-#endif
-static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
+static yy_state_type yy_get_previous_state ( yyscan_t yyscanner );
+static yy_state_type yy_try_NUL_trans ( yy_state_type current_state , yyscan_t yyscanner);
+static int yy_get_next_buffer ( yyscan_t yyscanner );
+static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner );
/* %endif */
@@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
/* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\
- yyleng = (size_t) (yy_cp - yy_bp); \
+ yyleng = (int) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
/* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\
yyg->yy_c_buf_p = yy_cp;
-
/* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
#define YY_NUM_RULES 39
#define YY_END_OF_BUFFER 40
@@ -477,7 +669,7 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
-static yyconst flex_int16_t yy_accept[85] =
+static const flex_int16_t yy_accept[85] =
{ 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
40, 12, 2, 3, 2, 11, 1, 7, 6, 8,
@@ -490,7 +682,7 @@ static yyconst flex_int16_t yy_accept[85] =
0, 10, 10, 0
} ;
-static yyconst YY_CHAR yy_ec[256] =
+static const YY_CHAR yy_ec[256] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
1, 1, 4, 1, 1, 1, 1, 1, 1, 1,
@@ -522,14 +714,14 @@ static yyconst YY_CHAR yy_ec[256] =
1, 1, 1, 1, 1
} ;
-static yyconst YY_CHAR yy_meta[24] =
+static const YY_CHAR yy_meta[24] =
{ 0,
1, 2, 3, 4, 5, 6, 5, 7, 8, 7,
9, 10, 1, 1, 1, 1, 1, 1, 1, 1,
1, 7, 5
} ;
-static yyconst flex_uint16_t yy_base[103] =
+static const flex_int16_t yy_base[103] =
{ 0,
0, 0, 23, 0, 45, 67, 89, 111, 49, 50,
124, 0, 133, 335, 55, 335, 60, 335, 335, 335,
@@ -545,7 +737,7 @@ static yyconst flex_uint16_t yy_base[103] =
314, 324
} ;
-static yyconst flex_int16_t yy_def[103] =
+static const flex_int16_t yy_def[103] =
{ 0,
84, 1, 84, 3, 85, 85, 86, 86, 87, 87,
84, 88, 84, 84, 84, 84, 89, 84, 84, 84,
@@ -561,7 +753,7 @@ static yyconst flex_int16_t yy_def[103] =
84, 84
} ;
-static yyconst flex_uint16_t yy_nxt[359] =
+static const flex_int16_t yy_nxt[359] =
{ 0,
12, 13, 14, 15, 13, 16, 17, 18, 19, 20,
21, 12, 12, 12, 12, 22, 12, 12, 12, 12,
@@ -604,7 +796,7 @@ static yyconst flex_uint16_t yy_nxt[359] =
84, 84, 84, 84, 84, 84, 84, 84
} ;
-static yyconst flex_int16_t yy_chk[359] =
+static const flex_int16_t yy_chk[359] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -648,18 +840,18 @@ static yyconst flex_int16_t yy_chk[359] =
} ;
/* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[40] =
+static const flex_int32_t yy_rule_can_match_eol[40] =
{ 0,
0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0,
0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0,
};
-static yyconst flex_int16_t yy_rule_linenum[39] =
+static const flex_int16_t yy_rule_linenum[39] =
{ 0,
- 66, 67, 68, 70, 71, 73, 74, 76, 81, 86,
- 91, 96, 102, 103, 104, 106, 108, 113, 120, 121,
- 123, 144, 150, 157, 160, 180, 183, 186, 189, 195,
- 196, 198, 218, 219, 220, 221, 222, 223
+ 71, 72, 73, 75, 76, 78, 79, 81, 86, 91,
+ 96, 101, 107, 108, 109, 111, 113, 118, 125, 126,
+ 128, 149, 155, 162, 165, 185, 188, 191, 194, 200,
+ 201, 203, 223, 224, 225, 226, 227, 228
} ;
/* The intent behind this definition is that it'll catch
@@ -694,9 +886,13 @@ bool settings_parser_open_next_file(parser_helper_t *ctx);
static void include_files(parser_helper_t *ctx);
+#line 890 "settings/settings_lexer.c"
/* use start conditions stack */
/* do not declare unneeded functions */
#define YY_NO_INPUT 1
+/* do not include unistd.h as it might conflict with our scanner states */
+#define YY_NO_UNISTD_H 1
+/* due to that disable interactive mode, which requires isatty() */
/* don't use global variables, and interact properly with bison */
/* maintain the line number */
/* don't generate a default rule */
@@ -712,7 +908,7 @@ static void include_files(parser_helper_t *ctx);
/* state used to scan quoted strings */
/* pattern for section/key names */
-#line 716 "settings/settings_lexer.c"
+#line 912 "settings/settings_lexer.c"
#define INITIAL 0
#define ref 1
@@ -751,7 +947,7 @@ struct yyguts_t
YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */
char yy_hold_char;
int yy_n_chars;
- yy_size_t yyleng_r;
+ int yyleng_r;
char *yy_c_buf_p;
int yy_init;
int yy_start;
@@ -775,7 +971,7 @@ struct yyguts_t
/* %if-c-only */
-static int yy_init_globals (yyscan_t yyscanner );
+static int yy_init_globals ( yyscan_t yyscanner );
/* %endif */
@@ -785,9 +981,9 @@ static int yy_init_globals (yyscan_t yyscanner );
* from bison output in section 1.*/
# define yylval yyg->yylval_r
-int settings_parser_lex_init (yyscan_t* scanner);
+int yylex_init (yyscan_t* scanner);
-int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
+int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner);
/* %endif */
@@ -796,41 +992,41 @@ int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner
/* Accessor methods to globals.
These are made visible to non-reentrant scanners for convenience. */
-int settings_parser_lex_destroy (yyscan_t yyscanner );
+int yylex_destroy ( yyscan_t yyscanner );
-int settings_parser_get_debug (yyscan_t yyscanner );
+int yyget_debug ( yyscan_t yyscanner );
-void settings_parser_set_debug (int debug_flag ,yyscan_t yyscanner );
+void yyset_debug ( int debug_flag , yyscan_t yyscanner );
-YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner );
+YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner );
-void settings_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner );
+void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner );
-FILE *settings_parser_get_in (yyscan_t yyscanner );
+FILE *yyget_in ( yyscan_t yyscanner );
-void settings_parser_set_in (FILE * _in_str ,yyscan_t yyscanner );
+void yyset_in ( FILE * _in_str , yyscan_t yyscanner );
-FILE *settings_parser_get_out (yyscan_t yyscanner );
+FILE *yyget_out ( yyscan_t yyscanner );
-void settings_parser_set_out (FILE * _out_str ,yyscan_t yyscanner );
+void yyset_out ( FILE * _out_str , yyscan_t yyscanner );
-yy_size_t settings_parser_get_leng (yyscan_t yyscanner );
+ int yyget_leng ( yyscan_t yyscanner );
-char *settings_parser_get_text (yyscan_t yyscanner );
+char *yyget_text ( yyscan_t yyscanner );
-int settings_parser_get_lineno (yyscan_t yyscanner );
+int yyget_lineno ( yyscan_t yyscanner );
-void settings_parser_set_lineno (int _line_number ,yyscan_t yyscanner );
+void yyset_lineno ( int _line_number , yyscan_t yyscanner );
-int settings_parser_get_column (yyscan_t yyscanner );
+int yyget_column ( yyscan_t yyscanner );
-void settings_parser_set_column (int _column_no ,yyscan_t yyscanner );
+void yyset_column ( int _column_no , yyscan_t yyscanner );
/* %if-bison-bridge */
-YYSTYPE * settings_parser_get_lval (yyscan_t yyscanner );
+YYSTYPE * yyget_lval ( yyscan_t yyscanner );
-void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
+void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner );
/* %endif */
@@ -840,17 +1036,16 @@ void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
#ifndef YY_SKIP_YYWRAP
#ifdef __cplusplus
-extern "C" int settings_parser_wrap (yyscan_t yyscanner );
+extern "C" int yywrap ( yyscan_t yyscanner );
#else
-extern int settings_parser_wrap (yyscan_t yyscanner );
+extern int yywrap ( yyscan_t yyscanner );
#endif
#endif
/* %not-for-header */
-
#ifndef YY_NO_UNPUT
- static void yyunput (int c,char *buf_ptr ,yyscan_t yyscanner);
+ static void yyunput ( int c, char *buf_ptr , yyscan_t yyscanner);
#endif
/* %ok-for-header */
@@ -858,21 +1053,20 @@ extern int settings_parser_wrap (yyscan_t yyscanner );
/* %endif */
#ifndef yytext_ptr
-static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner);
+static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner);
#endif
#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner);
+static int yy_flex_strlen ( const char * , yyscan_t yyscanner);
#endif
#ifndef YY_NO_INPUT
/* %if-c-only Standard (non-C++) definition */
/* %not-for-header */
-
#ifdef __cplusplus
-static int yyinput (yyscan_t yyscanner );
+static int yyinput ( yyscan_t yyscanner );
#else
-static int input (yyscan_t yyscanner );
+static int input ( yyscan_t yyscanner );
#endif
/* %ok-for-header */
@@ -881,11 +1075,11 @@ static int input (yyscan_t yyscanner );
/* %if-c-only */
- static void yy_push_state (int _new_state ,yyscan_t yyscanner);
+ static void yy_push_state ( int _new_state , yyscan_t yyscanner);
- static void yy_pop_state (yyscan_t yyscanner );
+ static void yy_pop_state ( yyscan_t yyscanner );
- static int yy_top_state (yyscan_t yyscanner );
+ static int yy_top_state ( yyscan_t yyscanner );
/* %endif */
@@ -905,7 +1099,7 @@ static int input (yyscan_t yyscanner );
/* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite().
*/
-#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
+#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
/* %endif */
/* %if-c++-only C++ definition */
/* %endif */
@@ -920,7 +1114,7 @@ static int input (yyscan_t yyscanner );
if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
{ \
int c = '*'; \
- size_t n; \
+ int n; \
for ( n = 0; n < max_size && \
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
buf[n] = (char) c; \
@@ -933,7 +1127,7 @@ static int input (yyscan_t yyscanner );
else \
{ \
errno=0; \
- while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+ while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
{ \
if( errno != EINTR) \
{ \
@@ -974,11 +1168,9 @@ static int input (yyscan_t yyscanner );
/* %if-tables-serialization structures and prototypes */
/* %not-for-header */
-
/* %ok-for-header */
/* %not-for-header */
-
/* %tables-yydmap generated elements */
/* %endif */
/* end tables serialization structures and prototypes */
@@ -992,10 +1184,10 @@ static int input (yyscan_t yyscanner );
#define YY_DECL_IS_OURS 1
/* %if-c-only Standard (non-C++) definition */
-extern int settings_parser_lex \
- (YYSTYPE * yylval_param ,yyscan_t yyscanner);
+extern int yylex \
+ (YYSTYPE * yylval_param , yyscan_t yyscanner);
-#define YY_DECL int settings_parser_lex \
+#define YY_DECL int yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only C++ definition */
@@ -1019,7 +1211,6 @@ extern int settings_parser_lex \
YY_USER_ACTION
/* %not-for-header */
-
/** The main scanner function which does all the work.
*/
YY_DECL
@@ -1057,20 +1248,20 @@ YY_DECL
/* %endif */
if ( ! YY_CURRENT_BUFFER ) {
- settings_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
YY_CURRENT_BUFFER_LVALUE =
- settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
}
- settings_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
}
{
/* %% [7.0] user's declarations go here */
-#line 64 "settings/settings_lexer.l"
+#line 69 "settings/settings_lexer.l"
-#line 1074 "settings/settings_lexer.c"
+#line 1265 "settings/settings_lexer.c"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{
@@ -1100,22 +1291,18 @@ yy_match:
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 85 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 335 );
+ while ( yy_current_state != 84 );
+ yy_cp = yyg->yy_last_accepting_cpos;
+ yy_current_state = yyg->yy_last_accepting_state;
yy_find_action:
/* %% [10.0] code to find the action number goes here */
yy_act = yy_accept[yy_current_state];
- if ( yy_act == 0 )
- { /* have to back up */
- yy_cp = yyg->yy_last_accepting_cpos;
- yy_current_state = yyg->yy_last_accepting_state;
- yy_act = yy_accept[yy_current_state];
- }
YY_DO_BEFORE_ACTION;
@@ -1123,10 +1310,10 @@ yy_find_action:
if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] )
{
- yy_size_t yyl;
+ int yyl;
for ( yyl = 0; yyl < yyleng; ++yyl )
if ( yytext[yyl] == '\n' )
-
+
do{ yylineno++;
yycolumn=0;
}while(0)
@@ -1164,40 +1351,40 @@ do_action: /* This label is used only to access EOF actions. */
case 1:
YY_RULE_SETUP
-#line 66 "settings/settings_lexer.l"
+#line 71 "settings/settings_lexer.l"
/* eat comments */
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 67 "settings/settings_lexer.l"
+#line 72 "settings/settings_lexer.l"
/* eat whitespace */
YY_BREAK
case 3:
/* rule 3 can match eol */
YY_RULE_SETUP
-#line 68 "settings/settings_lexer.l"
+#line 73 "settings/settings_lexer.l"
/* eat newlines and comments at the end of a line */
YY_BREAK
case 4:
-#line 71 "settings/settings_lexer.l"
+#line 76 "settings/settings_lexer.l"
case 5:
YY_RULE_SETUP
-#line 71 "settings/settings_lexer.l"
+#line 76 "settings/settings_lexer.l"
return yytext[0];
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 73 "settings/settings_lexer.l"
+#line 78 "settings/settings_lexer.l"
return DOT;
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 74 "settings/settings_lexer.l"
+#line 79 "settings/settings_lexer.l"
return COMMA;
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 76 "settings/settings_lexer.l"
+#line 81 "settings/settings_lexer.l"
{
yy_push_state(ref, yyscanner);
return COLON;
@@ -1205,7 +1392,7 @@ YY_RULE_SETUP
YY_BREAK
case 9:
YY_RULE_SETUP
-#line 81 "settings/settings_lexer.l"
+#line 86 "settings/settings_lexer.l"
{
yy_push_state(val, yyscanner);
return yytext[0];
@@ -1218,7 +1405,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1);
yyg->yy_c_buf_p = yy_cp -= 1;
YY_DO_BEFORE_ACTION; /* set up yytext again */
YY_RULE_SETUP
-#line 86 "settings/settings_lexer.l"
+#line 91 "settings/settings_lexer.l"
{
yyextra->string_init(yyextra);
yy_push_state(inc, yyscanner);
@@ -1226,7 +1413,7 @@ YY_RULE_SETUP
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 91 "settings/settings_lexer.l"
+#line 96 "settings/settings_lexer.l"
{
PARSER_DBG1(yyextra, "unexpected string detected");
return STRING_ERROR;
@@ -1234,7 +1421,7 @@ YY_RULE_SETUP
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 96 "settings/settings_lexer.l"
+#line 101 "settings/settings_lexer.l"
{
yylval->s = strdup(yytext);
return NAME;
@@ -1243,28 +1430,28 @@ YY_RULE_SETUP
case 13:
YY_RULE_SETUP
-#line 102 "settings/settings_lexer.l"
+#line 107 "settings/settings_lexer.l"
/* eat comments */
YY_BREAK
case 14:
YY_RULE_SETUP
-#line 103 "settings/settings_lexer.l"
+#line 108 "settings/settings_lexer.l"
/* eat whitespace */
YY_BREAK
case 15:
/* rule 15 can match eol */
YY_RULE_SETUP
-#line 104 "settings/settings_lexer.l"
+#line 109 "settings/settings_lexer.l"
/* eat newlines and comments at the end of a line */
YY_BREAK
case 16:
YY_RULE_SETUP
-#line 106 "settings/settings_lexer.l"
+#line 111 "settings/settings_lexer.l"
return COMMA;
YY_BREAK
case 17:
YY_RULE_SETUP
-#line 108 "settings/settings_lexer.l"
+#line 113 "settings/settings_lexer.l"
{
yylval->s = strdup(yytext);
return NAME;
@@ -1272,7 +1459,7 @@ YY_RULE_SETUP
YY_BREAK
case 18:
YY_RULE_SETUP
-#line 113 "settings/settings_lexer.l"
+#line 118 "settings/settings_lexer.l"
{
unput(yytext[0]);
yy_pop_state(yyscanner);
@@ -1282,20 +1469,20 @@ YY_RULE_SETUP
case 19:
YY_RULE_SETUP
-#line 120 "settings/settings_lexer.l"
+#line 125 "settings/settings_lexer.l"
/* just ignore these */
YY_BREAK
case 20:
YY_RULE_SETUP
-#line 121 "settings/settings_lexer.l"
+#line 126 "settings/settings_lexer.l"
YY_BREAK
case YY_STATE_EOF(val):
-#line 122 "settings/settings_lexer.l"
+#line 127 "settings/settings_lexer.l"
case 21:
/* rule 21 can match eol */
YY_RULE_SETUP
-#line 123 "settings/settings_lexer.l"
+#line 128 "settings/settings_lexer.l"
{
if (*yytext)
{
@@ -1319,7 +1506,7 @@ YY_RULE_SETUP
YY_BREAK
case 22:
YY_RULE_SETUP
-#line 144 "settings/settings_lexer.l"
+#line 149 "settings/settings_lexer.l"
{
yyextra->string_init(yyextra);
yy_push_state(str, yyscanner);
@@ -1328,7 +1515,7 @@ YY_RULE_SETUP
/* same as above, but allow more characters */
case 23:
YY_RULE_SETUP
-#line 150 "settings/settings_lexer.l"
+#line 155 "settings/settings_lexer.l"
{
yylval->s = strdup(yytext);
return NAME;
@@ -1338,16 +1525,16 @@ YY_RULE_SETUP
case 24:
YY_RULE_SETUP
-#line 157 "settings/settings_lexer.l"
+#line 162 "settings/settings_lexer.l"
/* just ignore these */
YY_BREAK
/* we allow all characters except #, } and spaces, they can be escaped */
case YY_STATE_EOF(inc):
-#line 159 "settings/settings_lexer.l"
+#line 164 "settings/settings_lexer.l"
case 25:
/* rule 25 can match eol */
YY_RULE_SETUP
-#line 160 "settings/settings_lexer.l"
+#line 165 "settings/settings_lexer.l"
{
if (*yytext)
{
@@ -1371,28 +1558,28 @@ YY_RULE_SETUP
YY_BREAK
case 26:
YY_RULE_SETUP
-#line 180 "settings/settings_lexer.l"
+#line 185 "settings/settings_lexer.l"
{ /* string include */
yy_push_state(str, yyscanner);
}
YY_BREAK
case 27:
YY_RULE_SETUP
-#line 183 "settings/settings_lexer.l"
+#line 188 "settings/settings_lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
YY_BREAK
case 28:
YY_RULE_SETUP
-#line 186 "settings/settings_lexer.l"
+#line 191 "settings/settings_lexer.l"
{
yyextra->string_add(yyextra, yytext+1);
}
YY_BREAK
case 29:
YY_RULE_SETUP
-#line 189 "settings/settings_lexer.l"
+#line 194 "settings/settings_lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
@@ -1401,17 +1588,17 @@ YY_RULE_SETUP
case 30:
YY_RULE_SETUP
-#line 195 "settings/settings_lexer.l"
+#line 200 "settings/settings_lexer.l"
/* just ignore these */
YY_BREAK
case 31:
-#line 197 "settings/settings_lexer.l"
+#line 202 "settings/settings_lexer.l"
YY_RULE_SETUP
case YY_STATE_EOF(str):
-#line 197 "settings/settings_lexer.l"
+#line 202 "settings/settings_lexer.l"
case 32:
YY_RULE_SETUP
-#line 198 "settings/settings_lexer.l"
+#line 203 "settings/settings_lexer.l"
{
if (!streq(yytext, "\""))
{
@@ -1434,34 +1621,34 @@ YY_RULE_SETUP
YY_BREAK
case 33:
YY_RULE_SETUP
-#line 218 "settings/settings_lexer.l"
+#line 223 "settings/settings_lexer.l"
yyextra->string_add(yyextra, "\n");
YY_BREAK
case 34:
YY_RULE_SETUP
-#line 219 "settings/settings_lexer.l"
+#line 224 "settings/settings_lexer.l"
yyextra->string_add(yyextra, "\r");
YY_BREAK
case 35:
YY_RULE_SETUP
-#line 220 "settings/settings_lexer.l"
+#line 225 "settings/settings_lexer.l"
yyextra->string_add(yyextra, "\t");
YY_BREAK
case 36:
/* rule 36 can match eol */
YY_RULE_SETUP
-#line 221 "settings/settings_lexer.l"
+#line 226 "settings/settings_lexer.l"
/* merge lines that end with escaped EOL characters */
YY_BREAK
case 37:
YY_RULE_SETUP
-#line 222 "settings/settings_lexer.l"
+#line 227 "settings/settings_lexer.l"
yyextra->string_add(yyextra, yytext+1);
YY_BREAK
case 38:
/* rule 38 can match eol */
YY_RULE_SETUP
-#line 223 "settings/settings_lexer.l"
+#line 228 "settings/settings_lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
@@ -1469,7 +1656,7 @@ YY_RULE_SETUP
case YY_STATE_EOF(INITIAL):
case YY_STATE_EOF(ref):
-#line 228 "settings/settings_lexer.l"
+#line 233 "settings/settings_lexer.l"
{
settings_parser_pop_buffer_state(yyscanner);
if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1480,10 +1667,10 @@ case YY_STATE_EOF(ref):
YY_BREAK
case 39:
YY_RULE_SETUP
-#line 236 "settings/settings_lexer.l"
+#line 241 "settings/settings_lexer.l"
YY_FATAL_ERROR( "flex scanner jammed" );
YY_BREAK
-#line 1487 "settings/settings_lexer.c"
+#line 1674 "settings/settings_lexer.c"
case YY_END_OF_BUFFER:
{
@@ -1499,7 +1686,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
/* We're scanning a new file or input source. It's
* possible that this happened because the user
* just pointed yyin at a new source and called
- * settings_parser_lex(). If so, then we have to assure
+ * yylex(). If so, then we have to assure
* consistency between YY_CURRENT_BUFFER and our
* globals. Here is the right place to do so, because
* this is the first action (other than possibly a
@@ -1553,7 +1740,8 @@ YY_FATAL_ERROR( "flex scanner jammed" );
else
{
/* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */
- yy_cp = yyg->yy_c_buf_p;
+ yy_cp = yyg->yy_last_accepting_cpos;
+ yy_current_state = yyg->yy_last_accepting_state;
goto yy_find_action;
}
}
@@ -1564,7 +1752,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
{
yyg->yy_did_buffer_switch_on_eof = 0;
- if ( settings_parser_wrap(yyscanner ) )
+ if ( yywrap( yyscanner ) )
{
/* Note: because we've taken care in
* yy_get_next_buffer() to have set up
@@ -1618,12 +1806,11 @@ YY_FATAL_ERROR( "flex scanner jammed" );
} /* end of action switch */
} /* end of scanning one token */
} /* end of user's declarations */
-} /* end of settings_parser_lex */
+} /* end of yylex */
/* %ok-for-header */
/* %if-c++-only */
/* %not-for-header */
-
/* %ok-for-header */
/* %endif */
@@ -1644,7 +1831,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
char *source = yyg->yytext_ptr;
- yy_size_t number_to_move, i;
+ int number_to_move, i;
int ret_val;
if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] )
@@ -1673,7 +1860,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* Try to read more data. */
/* First move last chars to start of buffer. */
- number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1;
+ number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1);
for ( i = 0; i < number_to_move; ++i )
*(dest++) = *(source++);
@@ -1686,7 +1873,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
{
- yy_size_t num_to_read =
+ int num_to_read =
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
while ( num_to_read <= 0 )
@@ -1700,7 +1887,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( b->yy_is_our_buffer )
{
- yy_size_t new_size = b->yy_buf_size * 2;
+ int new_size = b->yy_buf_size * 2;
if ( new_size <= 0 )
b->yy_buf_size += b->yy_buf_size / 8;
@@ -1709,11 +1896,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
b->yy_ch_buf = (char *)
/* Include room in for 2 EOB chars. */
- settings_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner );
+ yyrealloc( (void *) b->yy_ch_buf,
+ (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
}
else
/* Can't grow it, we don't own it. */
- b->yy_ch_buf = 0;
+ b->yy_ch_buf = NULL;
if ( ! b->yy_ch_buf )
YY_FATAL_ERROR(
@@ -1741,7 +1929,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( number_to_move == YY_MORE_ADJ )
{
ret_val = EOB_ACT_END_OF_FILE;
- settings_parser_restart(yyin ,yyscanner);
+ yyrestart( yyin , yyscanner);
}
else
@@ -1755,12 +1943,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
ret_val = EOB_ACT_CONTINUE_SCAN;
- if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+ if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
/* Extend the array by 50%, plus the number we really need. */
int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1);
- YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) settings_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner );
+ YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
+ (void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner );
if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+ /* "- 2" to take care of EOB's */
+ YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
}
yyg->yy_n_chars += number_to_move;
@@ -1776,7 +1967,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* %if-c-only */
/* %not-for-header */
-
static yy_state_type yy_get_previous_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
@@ -1802,9 +1992,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 85 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
}
return yy_current_state;
@@ -1836,9 +2026,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 85 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
yy_is_jam = (yy_current_state == 84);
(void)yyg;
@@ -1864,7 +2054,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
{ /* need to shift things up to make room */
/* +2 for EOB chars. */
- yy_size_t number_to_move = yyg->yy_n_chars + 2;
+ int number_to_move = yyg->yy_n_chars + 2;
char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
char *source =
@@ -1876,7 +2066,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
yy_cp += (int) (dest - source);
yy_bp += (int) (dest - source);
YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
- yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+ yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
YY_FATAL_ERROR( "flex scanner push-back overflow" );
@@ -1928,7 +2118,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
{ /* need more input */
- yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr;
+ int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr);
++yyg->yy_c_buf_p;
switch ( yy_get_next_buffer( yyscanner ) )
@@ -1945,14 +2135,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
*/
/* Reset buffer status. */
- settings_parser_restart(yyin ,yyscanner);
+ yyrestart( yyin , yyscanner);
/*FALLTHROUGH*/
case EOB_ACT_END_OF_FILE:
{
- if ( settings_parser_wrap(yyscanner ) )
- return EOF;
+ if ( yywrap( yyscanner ) )
+ return 0;
if ( ! yyg->yy_did_buffer_switch_on_eof )
YY_NEW_FILE;
@@ -1976,7 +2166,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* %% [19.0] update BOL and yylineno */
if ( c == '\n' )
-
+
do{ yylineno++;
yycolumn=0;
}while(0)
@@ -1994,7 +2184,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
* @note This function does not reset the start condition to @c INITIAL .
*/
/* %if-c-only */
- void settings_parser_restart (FILE * input_file , yyscan_t yyscanner)
+ void yyrestart (FILE * input_file , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2002,13 +2192,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
if ( ! YY_CURRENT_BUFFER ){
- settings_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
YY_CURRENT_BUFFER_LVALUE =
- settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
}
- settings_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner);
- settings_parser__load_buffer_state(yyscanner );
+ yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner);
+ yy_load_buffer_state( yyscanner );
}
/* %if-c++-only */
@@ -2019,7 +2209,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void settings_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+ void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2028,10 +2218,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* TODO. We should be able to replace this entire function body
* with
- * settings_parser_pop_buffer_state();
- * settings_parser_push_buffer_state(new_buffer);
+ * yypop_buffer_state();
+ * yypush_buffer_state(new_buffer);
*/
- settings_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
if ( YY_CURRENT_BUFFER == new_buffer )
return;
@@ -2044,18 +2234,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
}
YY_CURRENT_BUFFER_LVALUE = new_buffer;
- settings_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
/* We don't actually know whether we did this switch during
- * EOF (settings_parser_wrap()) processing, but the only time this flag
- * is looked at is after settings_parser_wrap() is called, so it's safe
+ * EOF (yywrap()) processing, but the only time this flag
+ * is looked at is after yywrap() is called, so it's safe
* to go ahead and always set it.
*/
yyg->yy_did_buffer_switch_on_eof = 1;
}
/* %if-c-only */
-static void settings_parser__load_buffer_state (yyscan_t yyscanner)
+static void yy_load_buffer_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2078,29 +2268,29 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
* @return the allocated buffer state.
*/
/* %if-c-only */
- YY_BUFFER_STATE settings_parser__create_buffer (FILE * file, int size , yyscan_t yyscanner)
+ YY_BUFFER_STATE yy_create_buffer (FILE * file, int size , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
{
YY_BUFFER_STATE b;
- b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+ b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
- b->yy_buf_size = (yy_size_t)size;
+ b->yy_buf_size = size;
/* yy_ch_buf has to be 2 characters longer than the size given because
* we need to put in 2 end-of-buffer characters.
*/
- b->yy_ch_buf = (char *) settings_parser_alloc(b->yy_buf_size + 2 ,yyscanner );
+ b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
b->yy_is_our_buffer = 1;
- settings_parser__init_buffer(b,file ,yyscanner);
+ yy_init_buffer( b, file , yyscanner);
return b;
}
@@ -2109,11 +2299,11 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
/* %endif */
/** Destroy the buffer.
- * @param b a buffer created with settings_parser__create_buffer()
+ * @param b a buffer created with yy_create_buffer()
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void settings_parser__delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
+ void yy_delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2127,17 +2317,17 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
if ( b->yy_is_our_buffer )
- settings_parser_free((void *) b->yy_ch_buf ,yyscanner );
+ yyfree( (void *) b->yy_ch_buf , yyscanner );
- settings_parser_free((void *) b ,yyscanner );
+ yyfree( (void *) b , yyscanner );
}
/* Initializes or reinitializes a buffer.
* This function is sometimes called more than once on the same buffer,
- * such as during a settings_parser_restart() or at EOF.
+ * such as during a yyrestart() or at EOF.
*/
/* %if-c-only */
- static void settings_parser__init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner)
+ static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2146,7 +2336,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
int oerrno = errno;
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
- settings_parser__flush_buffer(b ,yyscanner);
+ yy_flush_buffer( b , yyscanner);
/* %if-c-only */
b->yy_input_file = file;
@@ -2155,8 +2345,8 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
/* %endif */
b->yy_fill_buffer = 1;
- /* If b is the current buffer, then settings_parser__init_buffer was _probably_
- * called from settings_parser_restart() or through yy_get_next_buffer.
+ /* If b is the current buffer, then yy_init_buffer was _probably_
+ * called from yyrestart() or through yy_get_next_buffer.
* In that case, we don't want to reset the lineno or column.
*/
if (b != YY_CURRENT_BUFFER){
@@ -2166,7 +2356,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
/* %if-c-only */
- b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+ b->yy_is_interactive = 0;
/* %endif */
/* %if-c++-only */
@@ -2179,7 +2369,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void settings_parser__flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
+ void yy_flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2203,7 +2393,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
b->yy_buffer_status = YY_BUFFER_NEW;
if ( b == YY_CURRENT_BUFFER )
- settings_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
}
/* %if-c-or-c++ */
@@ -2214,7 +2404,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
-void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2223,9 +2413,9 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
if (new_buffer == NULL)
return;
- settings_parser_ensure_buffer_stack(yyscanner);
+ yyensure_buffer_stack(yyscanner);
- /* This block is copied from settings_parser__switch_to_buffer. */
+ /* This block is copied from yy_switch_to_buffer. */
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
@@ -2239,8 +2429,8 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
yyg->yy_buffer_stack_top++;
YY_CURRENT_BUFFER_LVALUE = new_buffer;
- /* copied from settings_parser__switch_to_buffer. */
- settings_parser__load_buffer_state(yyscanner );
+ /* copied from yy_switch_to_buffer. */
+ yy_load_buffer_state( yyscanner );
yyg->yy_did_buffer_switch_on_eof = 1;
}
/* %endif */
@@ -2251,7 +2441,7 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy
* @param yyscanner The scanner object.
*/
/* %if-c-only */
-void settings_parser_pop_buffer_state (yyscan_t yyscanner)
+void yypop_buffer_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2260,13 +2450,13 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner)
if (!YY_CURRENT_BUFFER)
return;
- settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner);
+ yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner);
YY_CURRENT_BUFFER_LVALUE = NULL;
if (yyg->yy_buffer_stack_top > 0)
--yyg->yy_buffer_stack_top;
if (YY_CURRENT_BUFFER) {
- settings_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
yyg->yy_did_buffer_switch_on_eof = 1;
}
}
@@ -2277,7 +2467,7 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner)
* Guarantees space for at least one push.
*/
/* %if-c-only */
-static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
+static void yyensure_buffer_stack (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2291,15 +2481,15 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
* scanner will even need a stack. We use 2 instead of 1 to avoid an
* immediate realloc on the next call.
*/
- num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
- yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_alloc
+ num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
+ yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc
(num_to_alloc * sizeof(struct yy_buffer_state*)
, yyscanner);
if ( ! yyg->yy_buffer_stack )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" );
-
+ YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+
memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-
+
yyg->yy_buffer_stack_max = num_to_alloc;
yyg->yy_buffer_stack_top = 0;
return;
@@ -2311,12 +2501,12 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
yy_size_t grow_size = 8 /* arbitrary grow size */;
num_to_alloc = yyg->yy_buffer_stack_max + grow_size;
- yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_realloc
+ yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc
(yyg->yy_buffer_stack,
num_to_alloc * sizeof(struct yy_buffer_state*)
, yyscanner);
if ( ! yyg->yy_buffer_stack )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
/* zero only the new slots.*/
memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -2330,9 +2520,9 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner)
* @param base the character buffer
* @param size the size in bytes of the character buffer
* @param yyscanner The scanner object.
- * @return the newly allocated buffer state object.
+ * @return the newly allocated buffer state object.
*/
-YY_BUFFER_STATE settings_parser__scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner)
{
YY_BUFFER_STATE b;
@@ -2340,73 +2530,73 @@ YY_BUFFER_STATE settings_parser__scan_buffer (char * base, yy_size_t size , yy
base[size-2] != YY_END_OF_BUFFER_CHAR ||
base[size-1] != YY_END_OF_BUFFER_CHAR )
/* They forgot to leave room for the EOB's. */
- return 0;
+ return NULL;
- b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+ b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
- b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */
+ b->yy_buf_size = (int) (size - 2); /* "- 2" to take care of EOB's */
b->yy_buf_pos = b->yy_ch_buf = base;
b->yy_is_our_buffer = 0;
- b->yy_input_file = 0;
+ b->yy_input_file = NULL;
b->yy_n_chars = b->yy_buf_size;
b->yy_is_interactive = 0;
b->yy_at_bol = 1;
b->yy_fill_buffer = 0;
b->yy_buffer_status = YY_BUFFER_NEW;
- settings_parser__switch_to_buffer(b ,yyscanner );
+ yy_switch_to_buffer( b , yyscanner );
return b;
}
/* %endif */
/* %if-c-only */
-/** Setup the input buffer state to scan a string. The next call to settings_parser_lex() will
+/** Setup the input buffer state to scan a string. The next call to yylex() will
* scan from a @e copy of @a str.
* @param yystr a NUL-terminated string to scan
* @param yyscanner The scanner object.
* @return the newly allocated buffer state object.
* @note If you want to scan bytes that may contain NUL values, then use
- * settings_parser__scan_bytes() instead.
+ * yy_scan_bytes() instead.
*/
-YY_BUFFER_STATE settings_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner)
{
- return settings_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner);
+ return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner);
}
/* %endif */
/* %if-c-only */
-/** Setup the input buffer state to scan the given bytes. The next call to settings_parser_lex() will
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
* scan from a @e copy of @a bytes.
* @param yybytes the byte buffer to scan
* @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
* @param yyscanner The scanner object.
* @return the newly allocated buffer state object.
*/
-YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yybytes_len , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_bytes (const char * yybytes, int _yybytes_len , yyscan_t yyscanner)
{
YY_BUFFER_STATE b;
char *buf;
yy_size_t n;
- yy_size_t i;
+ int i;
/* Get memory for full buffer, including space for trailing EOB's. */
- n = _yybytes_len + 2;
- buf = (char *) settings_parser_alloc(n ,yyscanner );
+ n = (yy_size_t) (_yybytes_len + 2);
+ buf = (char *) yyalloc( n , yyscanner );
if ( ! buf )
- YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_bytes()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
for ( i = 0; i < _yybytes_len; ++i )
buf[i] = yybytes[i];
buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
- b = settings_parser__scan_buffer(buf,n ,yyscanner);
+ b = yy_scan_buffer( buf, n , yyscanner);
if ( ! b )
- YY_FATAL_ERROR( "bad buffer in settings_parser__scan_bytes()" );
+ YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
/* It's okay to grow etc. this buffer, and we should throw it
* away when we're done.
@@ -2429,13 +2619,14 @@ YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t
yy_size_t new_size;
yyg->yy_start_stack_depth += YY_START_STACK_INCR;
- new_size = yyg->yy_start_stack_depth * sizeof( int );
+ new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int );
if ( ! yyg->yy_start_stack )
- yyg->yy_start_stack = (int *) settings_parser_alloc(new_size ,yyscanner );
+ yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner );
else
- yyg->yy_start_stack = (int *) settings_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner );
+ yyg->yy_start_stack = (int *) yyrealloc(
+ (void *) yyg->yy_start_stack, new_size , yyscanner );
if ( ! yyg->yy_start_stack )
YY_FATAL_ERROR( "out of memory expanding start-condition stack" );
@@ -2474,11 +2665,11 @@ YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t
#endif
/* %if-c-only */
-static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
+static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- (void) fprintf( stderr, "%s\n", msg );
+ fprintf( stderr, "%s\n", msg );
exit( YY_EXIT_FAILURE );
}
/* %endif */
@@ -2510,7 +2701,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
/** Get the user-defined data for this scanner.
* @param yyscanner The scanner object.
*/
-YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner)
+YY_EXTRA_TYPE yyget_extra (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyextra;
@@ -2521,10 +2712,10 @@ YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner)
/** Get the current line number.
* @param yyscanner The scanner object.
*/
-int settings_parser_get_lineno (yyscan_t yyscanner)
+int yyget_lineno (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-
+
if (! YY_CURRENT_BUFFER)
return 0;
@@ -2534,10 +2725,10 @@ int settings_parser_get_lineno (yyscan_t yyscanner)
/** Get the current column number.
* @param yyscanner The scanner object.
*/
-int settings_parser_get_column (yyscan_t yyscanner)
+int yyget_column (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-
+
if (! YY_CURRENT_BUFFER)
return 0;
@@ -2547,7 +2738,7 @@ int settings_parser_get_column (yyscan_t yyscanner)
/** Get the input stream.
* @param yyscanner The scanner object.
*/
-FILE *settings_parser_get_in (yyscan_t yyscanner)
+FILE *yyget_in (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyin;
@@ -2556,7 +2747,7 @@ FILE *settings_parser_get_in (yyscan_t yyscanner)
/** Get the output stream.
* @param yyscanner The scanner object.
*/
-FILE *settings_parser_get_out (yyscan_t yyscanner)
+FILE *yyget_out (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyout;
@@ -2565,7 +2756,7 @@ FILE *settings_parser_get_out (yyscan_t yyscanner)
/** Get the length of the current token.
* @param yyscanner The scanner object.
*/
-yy_size_t settings_parser_get_leng (yyscan_t yyscanner)
+int yyget_leng (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyleng;
@@ -2575,7 +2766,7 @@ yy_size_t settings_parser_get_leng (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
-char *settings_parser_get_text (yyscan_t yyscanner)
+char *yyget_text (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yytext;
@@ -2587,7 +2778,7 @@ char *settings_parser_get_text (yyscan_t yyscanner)
* @param user_defined The data to be associated with this scanner.
* @param yyscanner The scanner object.
*/
-void settings_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner)
+void yyset_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyextra = user_defined ;
@@ -2599,13 +2790,13 @@ void settings_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner
* @param _line_number line number
* @param yyscanner The scanner object.
*/
-void settings_parser_set_lineno (int _line_number , yyscan_t yyscanner)
+void yyset_lineno (int _line_number , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* lineno is only valid if an input buffer exists. */
if (! YY_CURRENT_BUFFER )
- YY_FATAL_ERROR( "settings_parser_set_lineno called with no buffer" );
+ YY_FATAL_ERROR( "yyset_lineno called with no buffer" );
yylineno = _line_number;
}
@@ -2614,13 +2805,13 @@ void settings_parser_set_lineno (int _line_number , yyscan_t yyscanner)
* @param _column_no column number
* @param yyscanner The scanner object.
*/
-void settings_parser_set_column (int _column_no , yyscan_t yyscanner)
+void yyset_column (int _column_no , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* column is only valid if an input buffer exists. */
if (! YY_CURRENT_BUFFER )
- YY_FATAL_ERROR( "settings_parser_set_column called with no buffer" );
+ YY_FATAL_ERROR( "yyset_column called with no buffer" );
yycolumn = _column_no;
}
@@ -2629,27 +2820,27 @@ void settings_parser_set_column (int _column_no , yyscan_t yyscanner)
* input buffer.
* @param _in_str A readable stream.
* @param yyscanner The scanner object.
- * @see settings_parser__switch_to_buffer
+ * @see yy_switch_to_buffer
*/
-void settings_parser_set_in (FILE * _in_str , yyscan_t yyscanner)
+void yyset_in (FILE * _in_str , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyin = _in_str ;
}
-void settings_parser_set_out (FILE * _out_str , yyscan_t yyscanner)
+void yyset_out (FILE * _out_str , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyout = _out_str ;
}
-int settings_parser_get_debug (yyscan_t yyscanner)
+int yyget_debug (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yy_flex_debug;
}
-void settings_parser_set_debug (int _bdebug , yyscan_t yyscanner)
+void yyset_debug (int _bdebug , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yy_flex_debug = _bdebug ;
@@ -2662,13 +2853,13 @@ void settings_parser_set_debug (int _bdebug , yyscan_t yyscanner)
/* %if-bison-bridge */
-YYSTYPE * settings_parser_get_lval (yyscan_t yyscanner)
+YYSTYPE * yyget_lval (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yylval;
}
-void settings_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
+void yyset_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yylval = yylval_param;
@@ -2678,20 +2869,18 @@ void settings_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
/* User-visible API */
-/* settings_parser_lex_init is special because it creates the scanner itself, so it is
+/* yylex_init is special because it creates the scanner itself, so it is
* the ONLY reentrant function that doesn't take the scanner as the last argument.
* That's why we explicitly handle the declaration, instead of using our macros.
*/
-
-int settings_parser_lex_init(yyscan_t* ptr_yy_globals)
-
+int yylex_init(yyscan_t* ptr_yy_globals)
{
if (ptr_yy_globals == NULL){
errno = EINVAL;
return 1;
}
- *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), NULL );
+ *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL );
if (*ptr_yy_globals == NULL){
errno = ENOMEM;
@@ -2704,39 +2893,37 @@ int settings_parser_lex_init(yyscan_t* ptr_yy_globals)
return yy_init_globals ( *ptr_yy_globals );
}
-/* settings_parser_lex_init_extra has the same functionality as settings_parser_lex_init, but follows the
+/* yylex_init_extra has the same functionality as yylex_init, but follows the
* convention of taking the scanner as the last argument. Note however, that
* this is a *pointer* to a scanner, as it will be allocated by this call (and
* is the reason, too, why this function also must handle its own declaration).
- * The user defined value in the first argument will be available to settings_parser_alloc in
+ * The user defined value in the first argument will be available to yyalloc in
* the yyextra field.
*/
-
-int settings_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals )
-
+int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals )
{
struct yyguts_t dummy_yyguts;
- settings_parser_set_extra (yy_user_defined, &dummy_yyguts);
+ yyset_extra (yy_user_defined, &dummy_yyguts);
if (ptr_yy_globals == NULL){
errno = EINVAL;
return 1;
}
-
- *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
-
+
+ *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
+
if (*ptr_yy_globals == NULL){
errno = ENOMEM;
return 1;
}
-
+
/* By setting to 0xAA, we expose bugs in
yy_init_globals. Leave at 0x00 for releases. */
memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t));
-
- settings_parser_set_extra (yy_user_defined, *ptr_yy_globals);
-
+
+ yyset_extra (yy_user_defined, *ptr_yy_globals);
+
return yy_init_globals ( *ptr_yy_globals );
}
@@ -2747,13 +2934,13 @@ static int yy_init_globals (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* Initialization is the same as for the non-reentrant scanner.
- * This function is called from settings_parser_lex_destroy(), so don't allocate here.
+ * This function is called from yylex_destroy(), so don't allocate here.
*/
- yyg->yy_buffer_stack = 0;
+ yyg->yy_buffer_stack = NULL;
yyg->yy_buffer_stack_top = 0;
yyg->yy_buffer_stack_max = 0;
- yyg->yy_c_buf_p = (char *) 0;
+ yyg->yy_c_buf_p = NULL;
yyg->yy_init = 0;
yyg->yy_start = 0;
@@ -2766,45 +2953,45 @@ static int yy_init_globals (yyscan_t yyscanner)
yyin = stdin;
yyout = stdout;
#else
- yyin = (FILE *) 0;
- yyout = (FILE *) 0;
+ yyin = NULL;
+ yyout = NULL;
#endif
/* For future reference: Set errno on error, since we are called by
- * settings_parser_lex_init()
+ * yylex_init()
*/
return 0;
}
/* %endif */
/* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */
-/* settings_parser_lex_destroy is for both reentrant and non-reentrant scanners. */
-int settings_parser_lex_destroy (yyscan_t yyscanner)
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* Pop the buffer stack, destroying each element. */
while(YY_CURRENT_BUFFER){
- settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner );
+ yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner );
YY_CURRENT_BUFFER_LVALUE = NULL;
- settings_parser_pop_buffer_state(yyscanner);
+ yypop_buffer_state(yyscanner);
}
/* Destroy the stack itself. */
- settings_parser_free(yyg->yy_buffer_stack ,yyscanner);
+ yyfree(yyg->yy_buffer_stack , yyscanner);
yyg->yy_buffer_stack = NULL;
/* Destroy the start condition stack. */
- settings_parser_free(yyg->yy_start_stack ,yyscanner );
+ yyfree( yyg->yy_start_stack , yyscanner );
yyg->yy_start_stack = NULL;
/* Reset the globals. This is important in a non-reentrant scanner so the next time
- * settings_parser_lex() is called, initialization will occur. */
+ * yylex() is called, initialization will occur. */
yy_init_globals( yyscanner);
/* %if-reentrant */
/* Destroy the main struct (reentrant only). */
- settings_parser_free ( yyscanner , yyscanner );
+ yyfree ( yyscanner , yyscanner );
yyscanner = NULL;
/* %endif */
return 0;
@@ -2816,7 +3003,7 @@ int settings_parser_lex_destroy (yyscan_t yyscanner)
*/
#ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner)
+static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
@@ -2828,7 +3015,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca
#endif
#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
+static int yy_flex_strlen (const char * s , yyscan_t yyscanner)
{
int n;
for ( n = 0; s[n]; ++n )
@@ -2838,14 +3025,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
}
#endif
-void *settings_parser_alloc (yy_size_t size , yyscan_t yyscanner)
+void *yyalloc (yy_size_t size , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- return (void *) malloc( size );
+ return malloc(size);
}
-void *settings_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner)
+void *yyrealloc (void * ptr, yy_size_t size , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
@@ -2857,14 +3044,14 @@ void *settings_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner
* any pointer type to void*, and deal with argument conversions
* as though doing an assignment.
*/
- return (void *) realloc( (char *) ptr, size );
+ return realloc(ptr, size);
}
-void settings_parser_free (void * ptr , yyscan_t yyscanner)
+void yyfree (void * ptr , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- free( (char *) ptr ); /* see settings_parser_realloc() for (char *) cast */
+ free( (char *) ptr ); /* see yyrealloc() for (char *) cast */
}
/* %if-tables-serialization definitions */
@@ -2874,8 +3061,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner)
/* %ok-for-header */
-#line 236 "settings/settings_lexer.l"
-
+#line 241 "settings/settings_lexer.l"
/**
diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l
index 19ab8d7b2..e8c2b9884 100644
--- a/src/libstrongswan/settings/settings_lexer.l
+++ b/src/libstrongswan/settings/settings_lexer.l
@@ -32,6 +32,11 @@ static void include_files(parser_helper_t *ctx);
/* do not declare unneeded functions */
%option noinput noyywrap
+/* do not include unistd.h as it might conflict with our scanner states */
+%option nounistd
+/* due to that disable interactive mode, which requires isatty() */
+%option never-interactive
+
/* don't use global variables, and interact properly with bison */
%option reentrant bison-bridge
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 5737e7a17..d4cac5a3b 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -58,6 +58,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_mgf1.c \
suites/test_ntru.c \
suites/test_ed25519.c \
+ suites/test_ed448.c \
suites/test_signature_params.c
libstrongswan_tests_CFLAGS = \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index c5b943572..664c84f3f 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -163,6 +163,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \
suites/libstrongswan_tests-test_mgf1.$(OBJEXT) \
suites/libstrongswan_tests-test_ntru.$(OBJEXT) \
suites/libstrongswan_tests-test_ed25519.$(OBJEXT) \
+ suites/libstrongswan_tests-test_ed448.$(OBJEXT) \
suites/libstrongswan_tests-test_signature_params.$(OBJEXT)
libstrongswan_tests_OBJECTS = $(am_libstrongswan_tests_OBJECTS)
libstrongswan_tests_DEPENDENCIES = \
@@ -548,6 +549,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_mgf1.c \
suites/test_ntru.c \
suites/test_ed25519.c \
+ suites/test_ed448.c \
suites/test_signature_params.c
libstrongswan_tests_CFLAGS = \
@@ -708,6 +710,8 @@ suites/libstrongswan_tests-test_ntru.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_ed25519.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/libstrongswan_tests-test_ed448.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_signature_params.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
@@ -740,6 +744,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po@am__quote@
@@ -1359,6 +1364,20 @@ suites/libstrongswan_tests-test_ed25519.obj: suites/test_ed25519.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi`
+suites/libstrongswan_tests-test_ed448.o: suites/test_ed448.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c
+
+suites/libstrongswan_tests-test_ed448.obj: suites/test_ed448.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi`
+
suites/libstrongswan_tests-test_signature_params.o: suites/test_signature_params.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po
diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c
index 86cbb1bc0..c52b90885 100644
--- a/src/libstrongswan/tests/suites/test_ed25519.c
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@@ -24,10 +24,12 @@ struct sig_test_t {
chunk_t pubkey;
chunk_t msg;
chunk_t sig;
+ chunk_t fp_pk;
+ chunk_t fp_spki;
};
/**
- * Ed25519 Test Vectors from draft-irtf-cfrg-eddsa
+ * Ed25519 Test Vectors from RFC 8032
*/
static sig_test_t sig_tests[] = {
/* Test 1 */
@@ -51,7 +53,13 @@ static sig_test_t sig_tests[] = {
0x01, 0x55, 0x5f, 0xb8, 0x82, 0x15, 0x90, 0xa3, 0x3b, 0xac,
0xc6, 0x1e, 0x39, 0x70, 0x1c, 0xf9, 0xb4, 0x6b, 0xd2, 0x5b,
0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43,
- 0x8e, 0x7a, 0x10, 0x0b)
+ 0x8e, 0x7a, 0x10, 0x0b),
+ chunk_from_chars(
+ 0x5b, 0x27, 0xaa, 0x55, 0x89, 0x17, 0x97, 0x70, 0xe4, 0x75,
+ 0x75, 0xb1, 0x62, 0xa1, 0xde, 0xd9, 0x7b, 0x8b, 0xfc, 0x6d),
+ chunk_from_chars(
+ 0xa5, 0x66, 0xbe, 0x19, 0x84, 0x01, 0x73, 0x41, 0x3a, 0x61,
+ 0x04, 0x83, 0x50, 0xef, 0xf2, 0x3e, 0x8f, 0xe2, 0x22, 0x66),
},
/* Test 2 */
{ chunk_from_chars(
@@ -75,7 +83,13 @@ static sig_test_t sig_tests[] = {
0x69, 0xda, 0x08, 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e,
0x45, 0x8f, 0x36, 0x13, 0xd0, 0xf1, 0x1d, 0x8c, 0x38, 0x7b,
0x2e, 0xae, 0xb4, 0x30, 0x2a, 0xee, 0xb0, 0x0d, 0x29, 0x16,
- 0x12, 0xbb, 0x0c, 0x00)
+ 0x12, 0xbb, 0x0c, 0x00),
+ chunk_from_chars(
+ 0x13, 0xf7, 0x72, 0x66, 0x9e, 0x15, 0x2a, 0xe6, 0xa6, 0x2a,
+ 0x60, 0xa3, 0x48, 0x8a, 0x6f, 0x29, 0x7d, 0x06, 0x13, 0xdd),
+ chunk_from_chars(
+ 0xbd, 0xae, 0x41, 0xeb, 0x5d, 0xbf, 0x88, 0xb9, 0xdf, 0x18,
+ 0xda, 0xbb, 0x2d, 0xee, 0xa9, 0x1a, 0x4e, 0x03, 0x38, 0xe4),
},
/* Test 3 */
{ chunk_from_chars(
@@ -99,7 +113,13 @@ static sig_test_t sig_tests[] = {
0xc3, 0xac, 0x18, 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90,
0xae, 0x67, 0xf7, 0x60, 0x98, 0x4d, 0xc6, 0x59, 0x4a, 0x7c,
0x15, 0xe9, 0x71, 0x6e, 0xd2, 0x8d, 0xc0, 0x27, 0xbe, 0xce,
- 0xea, 0x1e, 0xc4, 0x0a)
+ 0xea, 0x1e, 0xc4, 0x0a),
+ chunk_from_chars(
+ 0x88, 0xc7, 0x64, 0xc8, 0xbe, 0x44, 0x37, 0x4a, 0x7d, 0x2f,
+ 0x5d, 0x84, 0x72, 0x1f, 0x8e, 0x32, 0x5e, 0x5b, 0xd6, 0x4c),
+ chunk_from_chars(
+ 0xad, 0x01, 0x30, 0xb1, 0x2b, 0x48, 0x62, 0x9b, 0xb9, 0xad,
+ 0xea, 0x92, 0x1f, 0xfe, 0xd2, 0x9a, 0x42, 0xf0, 0xad, 0xe6),
},
/* Test 1024 */
{ chunk_from_chars(
@@ -235,7 +255,13 @@ static sig_test_t sig_tests[] = {
0xc3, 0x50, 0xaa, 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45,
0x28, 0xec, 0xea, 0x23, 0xc4, 0x36, 0xd9, 0x4b, 0x5e, 0x8f,
0xcd, 0x4f, 0x68, 0x1e, 0x30, 0xa6, 0xac, 0x00, 0xa9, 0x70,
- 0x4a, 0x18, 0x8a, 0x03)
+ 0x4a, 0x18, 0x8a, 0x03),
+ chunk_from_chars(
+ 0x11, 0x2d, 0xb3, 0x08, 0x97, 0x6e, 0x38, 0x8f, 0x5f, 0x5e,
+ 0xb0, 0xae, 0x8f, 0x5f, 0x59, 0x1d, 0xff, 0x74, 0xf4, 0x44),
+ chunk_from_chars(
+ 0xcb, 0x36, 0xcc, 0x6a, 0x82, 0x2c, 0x49, 0x40, 0xfb, 0x08,
+ 0x04, 0xf6, 0x3a, 0x4f, 0x20, 0x2b, 0xe5, 0x73, 0x43, 0x2f),
},
/* Test SHA(abc) */
{ chunk_from_chars(
@@ -265,7 +291,13 @@ static sig_test_t sig_tests[] = {
0xb5, 0x89, 0x09, 0x35, 0x1f, 0xc9, 0xac, 0x90, 0xb3, 0xec,
0xfd, 0xfb, 0xc7, 0xc6, 0x64, 0x31, 0xe0, 0x30, 0x3d, 0xca,
0x17, 0x9c, 0x13, 0x8a, 0xc1, 0x7a, 0xd9, 0xbe, 0xf1, 0x17,
- 0x73, 0x31, 0xa7, 0x04)
+ 0x73, 0x31, 0xa7, 0x04),
+ chunk_from_chars(
+ 0x26, 0x4c, 0xa5, 0x7f, 0x89, 0x6d, 0x64, 0x81, 0xd1, 0x87,
+ 0xe9, 0x89, 0x47, 0x29, 0x5a, 0xfe, 0xe3, 0x6d, 0x82, 0x44),
+ chunk_from_chars(
+ 0x27, 0x88, 0xfc, 0x14, 0xb1, 0xcd, 0xd0, 0x24, 0xd5, 0x9d,
+ 0x31, 0x65, 0x59, 0x63, 0x69, 0xcf, 0xaf, 0x50, 0x10, 0xe7),
}
};
@@ -273,24 +305,34 @@ START_TEST(test_ed25519_sign)
{
private_key_t *key;
public_key_t *pubkey, *public;
- chunk_t sig, encoding;
+ chunk_t sig, encoding, fp;
/* load private key */
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
ck_assert(key != NULL);
ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
- ck_assert(chunk_equals(encoding, sig_tests[_i].key));
+ ck_assert_chunk_eq(encoding, sig_tests[_i].key);
chunk_free(&encoding);
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
/* load public key */
pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
ck_assert(pubkey != NULL);
ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
- ck_assert(chunk_equals(encoding, sig_tests[_i].pubkey));
+ ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey);
chunk_free(&encoding);
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
/* compare public keys */
public = key->get_public_key(key);
ck_assert(public != NULL);
@@ -299,7 +341,7 @@ START_TEST(test_ed25519_sign)
/* sign */
ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig));
ck_assert(sig.len == 64);
- ck_assert(chunk_equals(sig, sig_tests[_i].sig));
+ ck_assert_chunk_eq(sig, sig_tests[_i].sig);
/* verify */
ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg,
@@ -364,7 +406,7 @@ START_TEST(test_ed25519_gen)
ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
ck_assert(fp_pub.ptr != NULL);
- ck_assert(chunk_equals(fp_pub, fp_priv));
+ ck_assert_chunk_eq(fp_pub, fp_priv);
/* clone public key */
pubkey2 = pubkey->get_ref(pubkey);
@@ -429,6 +471,16 @@ static chunk_t zero_pk = chunk_from_chars(
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00);
+/* sig_tests[0].sig with s+L */
+static chunk_t malleable_sig = chunk_from_chars(
+ 0xe5, 0x56, 0x43, 0x00, 0xc3, 0x60, 0xac, 0x72, 0x90, 0x86,
+ 0xe2, 0xcc, 0x80, 0x6e, 0x82, 0x8a, 0x84, 0x87, 0x7f, 0x1e,
+ 0xb8, 0xe5, 0xd9, 0x74, 0xd8, 0x73, 0xe0, 0x65, 0x22, 0x49,
+ 0x01, 0x55, 0x4c, 0x8c, 0x78, 0x72, 0xaa, 0x06, 0x4e, 0x04,
+ 0x9d, 0xbb, 0x30, 0x13, 0xfb, 0xf2, 0x93, 0x80, 0xd2, 0x5b,
+ 0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43,
+ 0x8e, 0x7a, 0x10, 0x1b);
+
START_TEST(test_ed25519_fail)
{
private_key_t *key;
@@ -479,6 +531,16 @@ START_TEST(test_ed25519_fail)
ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty,
chunk_empty));
+ /* RFC 8032, section 5.1.7 requires that 0 <= s < L to prevent signature
+ * malleability. Only a warning because Botan and OpenSSL are both
+ * vulnerable to this. */
+ if (pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+ malleable_sig))
+ {
+ warn("Ed25519 signature verification is vulnerable to malleable "
+ "signatures");
+ }
+
/* malformed signature */
sig = chunk_create(sig1, 64);
memcpy(sig1, sig_tests[0].sig.ptr, 64);
diff --git a/src/libstrongswan/tests/suites/test_ed448.c b/src/libstrongswan/tests/suites/test_ed448.c
new file mode 100644
index 000000000..288da19a0
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_ed448.c
@@ -0,0 +1,654 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <time.h>
+
+typedef struct sig_test_t sig_test_t;
+
+struct sig_test_t {
+ chunk_t key;
+ chunk_t pubkey;
+ chunk_t msg;
+ chunk_t sig;
+ chunk_t fp_pk;
+ chunk_t fp_spki;
+};
+
+/**
+ * Ed448 Test Vectors from RFC 8032
+ */
+static sig_test_t sig_tests[] = {
+ /* Blank */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0x6c,0x82,0xa5,0x62,0xcb,0x80,0x8d,0x10,0xd6,0x32,0xbe,0x89,0xc8,0x51,0x3e,0xbf,
+ 0x6c,0x92,0x9f,0x34,0xdd,0xfa,0x8c,0x9f,0x63,0xc9,0x96,0x0e,0xf6,0xe3,0x48,0xa3,
+ 0x52,0x8c,0x8a,0x3f,0xcc,0x2f,0x04,0x4e,0x39,0xa3,0xfc,0x5b,0x94,0x49,0x2f,0x8f,
+ 0x03,0x2e,0x75,0x49,0xa2,0x00,0x98,0xf9,0x5b),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x5f,0xd7,0x44,0x9b,
+ 0x59,0xb4,0x61,0xfd,0x2c,0xe7,0x87,0xec,0x61,0x6a,0xd4,0x6a,0x1d,0xa1,0x34,0x24,
+ 0x85,0xa7,0x0e,0x1f,0x8a,0x0e,0xa7,0x5d,0x80,0xe9,0x67,0x78,0xed,0xf1,0x24,0x76,
+ 0x9b,0x46,0xc7,0x06,0x1b,0xd6,0x78,0x3d,0xf1,0xe5,0x0f,0x6c,0xd1,0xfa,0x1a,0xbe,
+ 0xaf,0xe8,0x25,0x61,0x80),
+ { NULL, 0 },
+ chunk_from_chars(
+ 0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae,
+ 0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f,
+ 0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78,
+ 0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xff,0x0d,0x20,0x28,0xd4,0xb1,0x8a,
+ 0x9d,0xf6,0x3e,0x00,0x6c,0x5d,0x1c,0x2d,0x34,0x5b,0x92,0x5d,0x8d,0xc0,0x0b,0x41,
+ 0x04,0x85,0x2d,0xb9,0x9a,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb,
+ 0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65,
+ 0x26,0x00),
+ chunk_from_chars(
+ 0x6d,0xe0,0x8a,0x72,0x35,0x1e,0xf1,0xad,0xeb,0xca,0x2c,0xd7,0xf1,0xfd,0xa6,0x91,
+ 0x54,0xad,0xfa,0x4f),
+ chunk_from_chars(
+ 0x1b,0x7a,0x47,0x56,0x91,0xb8,0x41,0x33,0x0d,0x2e,0x4d,0xa5,0xe6,0x13,0xb9,0x89,
+ 0xda,0xce,0xc5,0x8e),
+ },
+ /* 1 octet */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0xc4,0xea,0xb0,0x5d,0x35,0x70,0x07,0xc6,0x32,0xf3,0xdb,0xb4,0x84,0x89,0x92,0x4d,
+ 0x55,0x2b,0x08,0xfe,0x0c,0x35,0x3a,0x0d,0x4a,0x1f,0x00,0xac,0xda,0x2c,0x46,0x3a,
+ 0xfb,0xea,0x67,0xc5,0xe8,0xd2,0x87,0x7c,0x5e,0x3b,0xc3,0x97,0xa6,0x59,0x94,0x9e,
+ 0xf8,0x02,0x1e,0x95,0x4e,0x0a,0x12,0x27,0x4e),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x43,0xba,0x28,0xf4,
+ 0x30,0xcd,0xff,0x45,0x6a,0xe5,0x31,0x54,0x5f,0x7e,0xcd,0x0a,0xc8,0x34,0xa5,0x5d,
+ 0x93,0x58,0xc0,0x37,0x2b,0xfa,0x0c,0x6c,0x67,0x98,0xc0,0x86,0x6a,0xea,0x01,0xeb,
+ 0x00,0x74,0x28,0x02,0xb8,0x43,0x8e,0xa4,0xcb,0x82,0x16,0x9c,0x23,0x51,0x60,0x62,
+ 0x7b,0x4c,0x3a,0x94,0x80),
+ chunk_from_chars(
+ 0x03),
+ chunk_from_chars(
+ 0x26,0xb8,0xf9,0x17,0x27,0xbd,0x62,0x89,0x7a,0xf1,0x5e,0x41,0xeb,0x43,0xc3,0x77,
+ 0xef,0xb9,0xc6,0x10,0xd4,0x8f,0x23,0x35,0xcb,0x0b,0xd0,0x08,0x78,0x10,0xf4,0x35,
+ 0x25,0x41,0xb1,0x43,0xc4,0xb9,0x81,0xb7,0xe1,0x8f,0x62,0xde,0x8c,0xcd,0xf6,0x33,
+ 0xfc,0x1b,0xf0,0x37,0xab,0x7c,0xd7,0x79,0x80,0x5e,0x0d,0xbc,0xc0,0xaa,0xe1,0xcb,
+ 0xce,0xe1,0xaf,0xb2,0xe0,0x27,0xdf,0x36,0xbc,0x04,0xdc,0xec,0xbf,0x15,0x43,0x36,
+ 0xc1,0x9f,0x0a,0xf7,0xe0,0xa6,0x47,0x29,0x05,0xe7,0x99,0xf1,0x95,0x3d,0x2a,0x0f,
+ 0xf3,0x34,0x8a,0xb2,0x1a,0xa4,0xad,0xaf,0xd1,0xd2,0x34,0x44,0x1c,0xf8,0x07,0xc0,
+ 0x3a,0x00),
+ chunk_from_chars(
+ 0x74,0xa7,0x4b,0x23,0x69,0x98,0x17,0x46,0x1f,0xca,0xcf,0x84,0xf7,0xc6,0x3e,0x05,
+ 0x2a,0x1b,0xf9,0xb8),
+ chunk_from_chars(
+ 0xf6,0x76,0xf7,0x63,0x82,0x2b,0x53,0x5c,0x61,0x9c,0xfa,0x4a,0x59,0x7d,0xdd,0xae,
+ 0x13,0x34,0xf0,0xb1),
+ },
+ /* 11 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0xcd,0x23,0xd2,0x4f,0x71,0x42,0x74,0xe7,0x44,0x34,0x32,0x37,0xb9,0x32,0x90,0xf5,
+ 0x11,0xf6,0x42,0x5f,0x98,0xe6,0x44,0x59,0xff,0x20,0x3e,0x89,0x85,0x08,0x3f,0xfd,
+ 0xf6,0x05,0x00,0x55,0x3a,0xbc,0x0e,0x05,0xcd,0x02,0x18,0x4b,0xdb,0x89,0xc4,0xcc,
+ 0xd6,0x7e,0x18,0x79,0x51,0x26,0x7e,0xb3,0x28),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdc,0xea,0x9e,0x78,
+ 0xf3,0x5a,0x1b,0xf3,0x49,0x9a,0x83,0x1b,0x10,0xb8,0x6c,0x90,0xaa,0xc0,0x1c,0xd8,
+ 0x4b,0x67,0xa0,0x10,0x9b,0x55,0xa3,0x6e,0x93,0x28,0xb1,0xe3,0x65,0xfc,0xe1,0x61,
+ 0xd7,0x1c,0xe7,0x13,0x1a,0x54,0x3e,0xa4,0xcb,0x5f,0x7e,0x9f,0x1d,0x8b,0x00,0x69,
+ 0x64,0x47,0x00,0x14,0x00),
+ chunk_from_chars(
+ 0x0c,0x3e,0x54,0x40,0x74,0xec,0x63,0xb0,0x26,0x5e,0x0c),
+ chunk_from_chars(
+ 0x1f,0x0a,0x88,0x88,0xce,0x25,0xe8,0xd4,0x58,0xa2,0x11,0x30,0x87,0x9b,0x84,0x0a,
+ 0x90,0x89,0xd9,0x99,0xaa,0xba,0x03,0x9e,0xaf,0x3e,0x3a,0xfa,0x09,0x0a,0x09,0xd3,
+ 0x89,0xdb,0xa8,0x2c,0x4f,0xf2,0xae,0x8a,0xc5,0xcd,0xfb,0x7c,0x55,0xe9,0x4d,0x5d,
+ 0x96,0x1a,0x29,0xfe,0x01,0x09,0x94,0x1e,0x00,0xb8,0xdb,0xde,0xea,0x6d,0x3b,0x05,
+ 0x10,0x68,0xdf,0x72,0x54,0xc0,0xcd,0xc1,0x29,0xcb,0xe6,0x2d,0xb2,0xdc,0x95,0x7d,
+ 0xbb,0x47,0xb5,0x1f,0xd3,0xf2,0x13,0xfb,0x86,0x98,0xf0,0x64,0x77,0x42,0x50,0xa5,
+ 0x02,0x89,0x61,0xc9,0xbf,0x8f,0xfd,0x97,0x3f,0xe5,0xd5,0xc2,0x06,0x49,0x2b,0x14,
+ 0x0e,0x00),
+ chunk_from_chars(
+ 0x3b,0x56,0x55,0xa4,0xce,0x4c,0xec,0x67,0x77,0x9c,0x9f,0xeb,0xfe,0x6f,0x38,0xba,
+ 0x88,0xc2,0x25,0x10),
+ chunk_from_chars(
+ 0x71,0xcb,0xf2,0xb7,0x1b,0x3b,0x77,0xcb,0xd6,0x41,0x05,0x02,0x72,0x31,0xa6,0x91,
+ 0x27,0x3f,0xe5,0x51),
+ },
+ /* 12 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0x25,0x8c,0xdd,0x4a,0xda,0x32,0xed,0x9c,0x9f,0xf5,0x4e,0x63,0x75,0x6a,0xe5,0x82,
+ 0xfb,0x8f,0xab,0x2a,0xc7,0x21,0xf2,0xc8,0xe6,0x76,0xa7,0x27,0x68,0x51,0x3d,0x93,
+ 0x9f,0x63,0xdd,0xdb,0x55,0x60,0x91,0x33,0xf2,0x9a,0xdf,0x86,0xec,0x99,0x29,0xdc,
+ 0xcb,0x52,0xc1,0xc5,0xfd,0x2f,0xf7,0xe2,0x1b),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x3b,0xa1,0x6d,0xa0,
+ 0xc6,0xf2,0xcc,0x1f,0x30,0x18,0x77,0x40,0x75,0x6f,0x5e,0x79,0x8d,0x6b,0xc5,0xfc,
+ 0x01,0x5d,0x7c,0x63,0xcc,0x95,0x10,0xee,0x3f,0xd4,0x4a,0xdc,0x24,0xd8,0xe9,0x68,
+ 0xb6,0xe4,0x6e,0x6f,0x94,0xd1,0x9b,0x94,0x53,0x61,0x72,0x6b,0xd7,0x5e,0x14,0x9e,
+ 0xf0,0x98,0x17,0xf5,0x80),
+ chunk_from_chars(
+ 0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15),
+ chunk_from_chars(
+ 0x7e,0xee,0xab,0x7c,0x4e,0x50,0xfb,0x79,0x9b,0x41,0x8e,0xe5,0xe3,0x19,0x7f,0xf6,
+ 0xbf,0x15,0xd4,0x3a,0x14,0xc3,0x43,0x89,0xb5,0x9d,0xd1,0xa7,0xb1,0xb8,0x5b,0x4a,
+ 0xe9,0x04,0x38,0xac,0xa6,0x34,0xbe,0xa4,0x5e,0x3a,0x26,0x95,0xf1,0x27,0x0f,0x07,
+ 0xfd,0xcd,0xf7,0xc6,0x2b,0x8e,0xfe,0xaf,0x00,0xb4,0x5c,0x2c,0x96,0xba,0x45,0x7e,
+ 0xb1,0xa8,0xbf,0x07,0x5a,0x3d,0xb2,0x8e,0x5c,0x24,0xf6,0xb9,0x23,0xed,0x4a,0xd7,
+ 0x47,0xc3,0xc9,0xe0,0x3c,0x70,0x79,0xef,0xb8,0x7c,0xb1,0x10,0xd3,0xa9,0x98,0x61,
+ 0xe7,0x20,0x03,0xcb,0xae,0x6d,0x6b,0x8b,0x82,0x7e,0x4e,0x6c,0x14,0x30,0x64,0xff,
+ 0x3c,0x00),
+ chunk_from_chars(
+ 0x56,0x8e,0xad,0x67,0xa7,0x83,0x78,0xfe,0x8f,0xaf,0xa7,0x87,0x2e,0xc8,0x95,0xa0,
+ 0xde,0x05,0x37,0x4c),
+ chunk_from_chars(
+ 0xed,0x1b,0xe5,0xa1,0x97,0x23,0x59,0x4d,0x86,0x6b,0x6b,0xef,0xfb,0x81,0xe4,0x8e,
+ 0xf7,0x42,0xe0,0x81),
+ },
+ /* 13 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0x7e,0xf4,0xe8,0x45,0x44,0x23,0x67,0x52,0xfb,0xb5,0x6b,0x8f,0x31,0xa2,0x3a,0x10,
+ 0xe4,0x28,0x14,0xf5,0xf5,0x5c,0xa0,0x37,0xcd,0xcc,0x11,0xc6,0x4c,0x9a,0x3b,0x29,
+ 0x49,0xc1,0xbb,0x60,0x70,0x03,0x14,0x61,0x17,0x32,0xa6,0xc2,0xfe,0xa9,0x8e,0xeb,
+ 0xc0,0x26,0x6a,0x11,0xa9,0x39,0x70,0x10,0x0e),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xb3,0xda,0x07,0x9b,
+ 0x0a,0xa4,0x93,0xa5,0x77,0x20,0x29,0xf0,0x46,0x7b,0xae,0xbe,0xe5,0xa8,0x11,0x2d,
+ 0x9d,0x3a,0x22,0x53,0x23,0x61,0xda,0x29,0x4f,0x7b,0xb3,0x81,0x5c,0x5d,0xc5,0x9e,
+ 0x17,0x6b,0x4d,0x9f,0x38,0x1c,0xa0,0x93,0x8e,0x13,0xc6,0xc0,0x7b,0x17,0x4b,0xe6,
+ 0x5d,0xfa,0x57,0x8e,0x80),
+ chunk_from_chars(
+ 0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15,0xe7),
+ chunk_from_chars(
+ 0x6a,0x12,0x06,0x6f,0x55,0x33,0x1b,0x6c,0x22,0xac,0xd5,0xd5,0xbf,0xc5,0xd7,0x12,
+ 0x28,0xfb,0xda,0x80,0xae,0x8d,0xec,0x26,0xbd,0xd3,0x06,0x74,0x3c,0x50,0x27,0xcb,
+ 0x48,0x90,0x81,0x0c,0x16,0x2c,0x02,0x74,0x68,0x67,0x5e,0xcf,0x64,0x5a,0x83,0x17,
+ 0x6c,0x0d,0x73,0x23,0xa2,0xcc,0xde,0x2d,0x80,0xef,0xe5,0xa1,0x26,0x8e,0x8a,0xca,
+ 0x1d,0x6f,0xbc,0x19,0x4d,0x3f,0x77,0xc4,0x49,0x86,0xeb,0x4a,0xb4,0x17,0x79,0x19,
+ 0xad,0x8b,0xec,0x33,0xeb,0x47,0xbb,0xb5,0xfc,0x6e,0x28,0x19,0x6f,0xd1,0xca,0xf5,
+ 0x6b,0x4e,0x7e,0x0b,0xa5,0x51,0x92,0x34,0xd0,0x47,0x15,0x5a,0xc7,0x27,0xa1,0x05,
+ 0x31,0x00),
+ chunk_from_chars(
+ 0x6e,0xb1,0xb6,0x33,0x76,0xa8,0x0f,0x84,0x26,0x23,0xfb,0xaa,0x9e,0xaa,0x1d,0x8d,
+ 0x6d,0xa5,0x75,0x4e),
+ chunk_from_chars(
+ 0xfa,0x2f,0xeb,0xff,0x13,0xc0,0xee,0xd0,0x3b,0xc6,0xf2,0x7d,0xb8,0x61,0xe5,0x9d,
+ 0x16,0x53,0xb1,0x11),
+ },
+ /* 64 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0xd6,0x5d,0xf3,0x41,0xad,0x13,0xe0,0x08,0x56,0x76,0x88,0xba,0xed,0xda,0x8e,0x9d,
+ 0xcd,0xc1,0x7d,0xc0,0x24,0x97,0x4e,0xa5,0xb4,0x22,0x7b,0x65,0x30,0xe3,0x39,0xbf,
+ 0xf2,0x1f,0x99,0xe6,0x8c,0xa6,0x96,0x8f,0x3c,0xca,0x6d,0xfe,0x0f,0xb9,0xf4,0xfa,
+ 0xb4,0xfa,0x13,0x5d,0x55,0x42,0xea,0x3f,0x01),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdf,0x97,0x05,0xf5,
+ 0x8e,0xdb,0xab,0x80,0x2c,0x7f,0x83,0x63,0xcf,0xe5,0x56,0x0a,0xb1,0xc6,0x13,0x2c,
+ 0x20,0xa9,0xf1,0xdd,0x16,0x34,0x83,0xa2,0x6f,0x8a,0xc5,0x3a,0x39,0xd6,0x80,0x8b,
+ 0xf4,0xa1,0xdf,0xbd,0x26,0x1b,0x09,0x9b,0xb0,0x3b,0x3f,0xb5,0x09,0x06,0xcb,0x28,
+ 0xbd,0x8a,0x08,0x1f,0x00),
+ chunk_from_chars(
+ 0xbd,0x0f,0x6a,0x37,0x47,0xcd,0x56,0x1b,0xdd,0xdf,0x46,0x40,0xa3,0x32,0x46,0x1a,
+ 0x4a,0x30,0xa1,0x2a,0x43,0x4c,0xd0,0xbf,0x40,0xd7,0x66,0xd9,0xc6,0xd4,0x58,0xe5,
+ 0x51,0x22,0x04,0xa3,0x0c,0x17,0xd1,0xf5,0x0b,0x50,0x79,0x63,0x1f,0x64,0xeb,0x31,
+ 0x12,0x18,0x2d,0xa3,0x00,0x58,0x35,0x46,0x11,0x13,0x71,0x8d,0x1a,0x5e,0xf9,0x44),
+ chunk_from_chars(
+ 0x55,0x4b,0xc2,0x48,0x08,0x60,0xb4,0x9e,0xab,0x85,0x32,0xd2,0xa5,0x33,0xb7,0xd5,
+ 0x78,0xef,0x47,0x3e,0xeb,0x58,0xc9,0x8b,0xb2,0xd0,0xe1,0xce,0x48,0x8a,0x98,0xb1,
+ 0x8d,0xfd,0xe9,0xb9,0xb9,0x07,0x75,0xe6,0x7f,0x47,0xd4,0xa1,0xc3,0x48,0x20,0x58,
+ 0xef,0xc9,0xf4,0x0d,0x2c,0xa0,0x33,0xa0,0x80,0x1b,0x63,0xd4,0x5b,0x3b,0x72,0x2e,
+ 0xf5,0x52,0xba,0xd3,0xb4,0xcc,0xb6,0x67,0xda,0x35,0x01,0x92,0xb6,0x1c,0x50,0x8c,
+ 0xf7,0xb6,0xb5,0xad,0xad,0xc2,0xc8,0xd9,0xa4,0x46,0xef,0x00,0x3f,0xb0,0x5c,0xba,
+ 0x5f,0x30,0xe8,0x8e,0x36,0xec,0x27,0x03,0xb3,0x49,0xca,0x22,0x9c,0x26,0x70,0x83,
+ 0x39,0x00),
+ chunk_from_chars(
+ 0x2b,0xb0,0xd4,0x29,0xb8,0x51,0x3f,0xb5,0x9d,0x07,0xd0,0xb0,0x1f,0x4a,0x39,0x25,
+ 0x33,0xae,0x3e,0x64),
+ chunk_from_chars(
+ 0x79,0xbb,0x37,0xe4,0x2a,0xf9,0x58,0xb7,0xa4,0x58,0x18,0x88,0x4b,0x82,0x8f,0xfb,
+ 0x9c,0x74,0xce,0x9d),
+ },
+ /* 256 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0x2e,0xc5,0xfe,0x3c,0x17,0x04,0x5a,0xbd,0xb1,0x36,0xa5,0xe6,0xa9,0x13,0xe3,0x2a,
+ 0xb7,0x5a,0xe6,0x8b,0x53,0xd2,0xfc,0x14,0x9b,0x77,0xe5,0x04,0x13,0x2d,0x37,0x56,
+ 0x9b,0x7e,0x76,0x6b,0xa7,0x4a,0x19,0xbd,0x61,0x62,0x34,0x3a,0x21,0xc8,0x59,0x0a,
+ 0xa9,0xce,0xbc,0xa9,0x01,0x4c,0x63,0x6d,0xf5),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x79,0x75,0x6f,0x01,
+ 0x4d,0xcf,0xe2,0x07,0x9f,0x5d,0xd9,0xe7,0x18,0xbe,0x41,0x71,0xe2,0xef,0x24,0x86,
+ 0xa0,0x8f,0x25,0x18,0x6f,0x6b,0xff,0x43,0xa9,0x93,0x6b,0x9b,0xfe,0x12,0x40,0x2b,
+ 0x08,0xae,0x65,0x79,0x8a,0x3d,0x81,0xe2,0x2e,0x9e,0xc8,0x0e,0x76,0x90,0x86,0x2e,
+ 0xf3,0xd4,0xed,0x3a,0x00),
+ chunk_from_chars(
+ 0x15,0x77,0x75,0x32,0xb0,0xbd,0xd0,0xd1,0x38,0x9f,0x63,0x6c,0x5f,0x6b,0x9b,0xa7,
+ 0x34,0xc9,0x0a,0xf5,0x72,0x87,0x7e,0x2d,0x27,0x2d,0xd0,0x78,0xaa,0x1e,0x56,0x7c,
+ 0xfa,0x80,0xe1,0x29,0x28,0xbb,0x54,0x23,0x30,0xe8,0x40,0x9f,0x31,0x74,0x50,0x41,
+ 0x07,0xec,0xd5,0xef,0xac,0x61,0xae,0x75,0x04,0xda,0xbe,0x2a,0x60,0x2e,0xde,0x89,
+ 0xe5,0xcc,0xa6,0x25,0x7a,0x7c,0x77,0xe2,0x7a,0x70,0x2b,0x3a,0xe3,0x9f,0xc7,0x69,
+ 0xfc,0x54,0xf2,0x39,0x5a,0xe6,0xa1,0x17,0x8c,0xab,0x47,0x38,0xe5,0x43,0x07,0x2f,
+ 0xc1,0xc1,0x77,0xfe,0x71,0xe9,0x2e,0x25,0xbf,0x03,0xe4,0xec,0xb7,0x2f,0x47,0xb6,
+ 0x4d,0x04,0x65,0xaa,0xea,0x4c,0x7f,0xad,0x37,0x25,0x36,0xc8,0xba,0x51,0x6a,0x60,
+ 0x39,0xc3,0xc2,0xa3,0x9f,0x0e,0x4d,0x83,0x2b,0xe4,0x32,0xdf,0xa9,0xa7,0x06,0xa6,
+ 0xe5,0xc7,0xe1,0x9f,0x39,0x79,0x64,0xca,0x42,0x58,0x00,0x2f,0x7c,0x05,0x41,0xb5,
+ 0x90,0x31,0x6d,0xbc,0x56,0x22,0xb6,0xb2,0xa6,0xfe,0x7a,0x4a,0xbf,0xfd,0x96,0x10,
+ 0x5e,0xca,0x76,0xea,0x7b,0x98,0x81,0x6a,0xf0,0x74,0x8c,0x10,0xdf,0x04,0x8c,0xe0,
+ 0x12,0xd9,0x01,0x01,0x5a,0x51,0xf1,0x89,0xf3,0x88,0x81,0x45,0xc0,0x36,0x50,0xaa,
+ 0x23,0xce,0x89,0x4c,0x3b,0xd8,0x89,0xe0,0x30,0xd5,0x65,0x07,0x1c,0x59,0xf4,0x09,
+ 0xa9,0x98,0x1b,0x51,0x87,0x8f,0xd6,0xfc,0x11,0x06,0x24,0xdc,0xbc,0xde,0x0b,0xf7,
+ 0xa6,0x9c,0xcc,0xe3,0x8f,0xab,0xdf,0x86,0xf3,0xbe,0xf6,0x04,0x48,0x19,0xde,0x11),
+ chunk_from_chars(
+ 0xc6,0x50,0xdd,0xbb,0x06,0x01,0xc1,0x9c,0xa1,0x14,0x39,0xe1,0x64,0x0d,0xd9,0x31,
+ 0xf4,0x3c,0x51,0x8e,0xa5,0xbe,0xa7,0x0d,0x3d,0xcd,0xe5,0xf4,0x19,0x1f,0xe5,0x3f,
+ 0x00,0xcf,0x96,0x65,0x46,0xb7,0x2b,0xcc,0x7d,0x58,0xbe,0x2b,0x9b,0xad,0xef,0x28,
+ 0x74,0x39,0x54,0xe3,0xa4,0x4a,0x23,0xf8,0x80,0xe8,0xd4,0xf1,0xcf,0xce,0x2d,0x7a,
+ 0x61,0x45,0x2d,0x26,0xda,0x05,0x89,0x6f,0x0a,0x50,0xda,0x66,0xa2,0x39,0xa8,0xa1,
+ 0x88,0xb6,0xd8,0x25,0xb3,0x30,0x5a,0xd7,0x7b,0x73,0xfb,0xac,0x08,0x36,0xec,0xc6,
+ 0x09,0x87,0xfd,0x08,0x52,0x7c,0x1a,0x8e,0x80,0xd5,0x82,0x3e,0x65,0xca,0xfe,0x2a,
+ 0x3d,0x00),
+ chunk_from_chars(
+ 0xfc,0x02,0xc5,0x25,0x74,0x09,0x8f,0xbb,0xaf,0x8c,0xad,0x02,0x14,0x9d,0xef,0x0d,
+ 0x94,0xb7,0x96,0x5f),
+ chunk_from_chars(
+ 0x63,0x03,0x8e,0x1f,0xcc,0x69,0x1e,0x2f,0x9d,0xb3,0x57,0x0f,0xad,0xbc,0x01,0x35,
+ 0x63,0xdb,0x06,0xba),
+ },
+ /* 1023 octets */
+ { chunk_from_chars(
+ 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39,
+ 0x87,0x2d,0x09,0x37,0x80,0xf5,0xd3,0x73,0x0d,0xf7,0xc2,0x12,0x66,0x4b,0x37,0xb8,
+ 0xa0,0xf2,0x4f,0x56,0x81,0x0d,0xaa,0x83,0x82,0xcd,0x4f,0xa3,0xf7,0x76,0x34,0xec,
+ 0x44,0xdc,0x54,0xf1,0xc2,0xed,0x9b,0xea,0x86,0xfa,0xfb,0x76,0x32,0xd8,0xbe,0x19,
+ 0x9e,0xa1,0x65,0xf5,0xad,0x55,0xdd,0x9c,0xe8),
+ chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xa8,0x1b,0x2e,0x8a,
+ 0x70,0xa5,0xac,0x94,0xff,0xdb,0xcc,0x9b,0xad,0xfc,0x3f,0xeb,0x08,0x01,0xf2,0x58,
+ 0x57,0x8b,0xb1,0x14,0xad,0x44,0xec,0xe1,0xec,0x0e,0x79,0x9d,0xa0,0x8e,0xff,0xb8,
+ 0x1c,0x5d,0x68,0x5c,0x0c,0x56,0xf6,0x4e,0xec,0xae,0xf8,0xcd,0xf1,0x1c,0xc3,0x87,
+ 0x37,0x83,0x8c,0xf4,0x00),
+ chunk_from_chars(
+ 0x6d,0xdf,0x80,0x2e,0x1a,0xae,0x49,0x86,0x93,0x5f,0x7f,0x98,0x1b,0xa3,0xf0,0x35,
+ 0x1d,0x62,0x73,0xc0,0xa0,0xc2,0x2c,0x9c,0x0e,0x83,0x39,0x16,0x8e,0x67,0x54,0x12,
+ 0xa3,0xde,0xbf,0xaf,0x43,0x5e,0xd6,0x51,0x55,0x80,0x07,0xdb,0x43,0x84,0xb6,0x50,
+ 0xfc,0xc0,0x7e,0x3b,0x58,0x6a,0x27,0xa4,0xf7,0xa0,0x0a,0xc8,0xa6,0xfe,0xc2,0xcd,
+ 0x86,0xae,0x4b,0xf1,0x57,0x0c,0x41,0xe6,0xa4,0x0c,0x93,0x1d,0xb2,0x7b,0x2f,0xaa,
+ 0x15,0xa8,0xce,0xdd,0x52,0xcf,0xf7,0x36,0x2c,0x4e,0x6e,0x23,0xda,0xec,0x0f,0xbc,
+ 0x3a,0x79,0xb6,0x80,0x6e,0x31,0x6e,0xfc,0xc7,0xb6,0x81,0x19,0xbf,0x46,0xbc,0x76,
+ 0xa2,0x60,0x67,0xa5,0x3f,0x29,0x6d,0xaf,0xdb,0xdc,0x11,0xc7,0x7f,0x77,0x77,0xe9,
+ 0x72,0x66,0x0c,0xf4,0xb6,0xa9,0xb3,0x69,0xa6,0x66,0x5f,0x02,0xe0,0xcc,0x9b,0x6e,
+ 0xdf,0xad,0x13,0x6b,0x4f,0xab,0xe7,0x23,0xd2,0x81,0x3d,0xb3,0x13,0x6c,0xfd,0xe9,
+ 0xb6,0xd0,0x44,0x32,0x2f,0xee,0x29,0x47,0x95,0x2e,0x03,0x1b,0x73,0xab,0x5c,0x60,
+ 0x33,0x49,0xb3,0x07,0xbd,0xc2,0x7b,0xc6,0xcb,0x8b,0x8b,0xbd,0x7b,0xd3,0x23,0x21,
+ 0x9b,0x80,0x33,0xa5,0x81,0xb5,0x9e,0xad,0xeb,0xb0,0x9b,0x3c,0x4f,0x3d,0x22,0x77,
+ 0xd4,0xf0,0x34,0x36,0x24,0xac,0xc8,0x17,0x80,0x47,0x28,0xb2,0x5a,0xb7,0x97,0x17,
+ 0x2b,0x4c,0x5c,0x21,0xa2,0x2f,0x9c,0x78,0x39,0xd6,0x43,0x00,0x23,0x2e,0xb6,0x6e,
+ 0x53,0xf3,0x1c,0x72,0x3f,0xa3,0x7f,0xe3,0x87,0xc7,0xd3,0xe5,0x0b,0xdf,0x98,0x13,
+ 0xa3,0x0e,0x5b,0xb1,0x2c,0xf4,0xcd,0x93,0x0c,0x40,0xcf,0xb4,0xe1,0xfc,0x62,0x25,
+ 0x92,0xa4,0x95,0x88,0x79,0x44,0x94,0xd5,0x6d,0x24,0xea,0x4b,0x40,0xc8,0x9f,0xc0,
+ 0x59,0x6c,0xc9,0xeb,0xb9,0x61,0xc8,0xcb,0x10,0xad,0xde,0x97,0x6a,0x5d,0x60,0x2b,
+ 0x1c,0x3f,0x85,0xb9,0xb9,0xa0,0x01,0xed,0x3c,0x6a,0x4d,0x3b,0x14,0x37,0xf5,0x20,
+ 0x96,0xcd,0x19,0x56,0xd0,0x42,0xa5,0x97,0xd5,0x61,0xa5,0x96,0xec,0xd3,0xd1,0x73,
+ 0x5a,0x8d,0x57,0x0e,0xa0,0xec,0x27,0x22,0x5a,0x2c,0x4a,0xaf,0xf2,0x63,0x06,0xd1,
+ 0x52,0x6c,0x1a,0xf3,0xca,0x6d,0x9c,0xf5,0xa2,0xc9,0x8f,0x47,0xe1,0xc4,0x6d,0xb9,
+ 0xa3,0x32,0x34,0xcf,0xd4,0xd8,0x1f,0x2c,0x98,0x53,0x8a,0x09,0xeb,0xe7,0x69,0x98,
+ 0xd0,0xd8,0xfd,0x25,0x99,0x7c,0x7d,0x25,0x5c,0x6d,0x66,0xec,0xe6,0xfa,0x56,0xf1,
+ 0x11,0x44,0x95,0x0f,0x02,0x77,0x95,0xe6,0x53,0x00,0x8f,0x4b,0xd7,0xca,0x2d,0xee,
+ 0x85,0xd8,0xe9,0x0f,0x3d,0xc3,0x15,0x13,0x0c,0xe2,0xa0,0x03,0x75,0xa3,0x18,0xc7,
+ 0xc3,0xd9,0x7b,0xe2,0xc8,0xce,0x5b,0x6d,0xb4,0x1a,0x62,0x54,0xff,0x26,0x4f,0xa6,
+ 0x15,0x5b,0xae,0xe3,0xb0,0x77,0x3c,0x0f,0x49,0x7c,0x57,0x3f,0x19,0xbb,0x4f,0x42,
+ 0x40,0x28,0x1f,0x0b,0x1f,0x4f,0x7b,0xe8,0x57,0xa4,0xe5,0x9d,0x41,0x6c,0x06,0xb4,
+ 0xc5,0x0f,0xa0,0x9e,0x18,0x10,0xdd,0xc6,0xb1,0x46,0x7b,0xae,0xac,0x5a,0x36,0x68,
+ 0xd1,0x1b,0x6e,0xca,0xa9,0x01,0x44,0x00,0x16,0xf3,0x89,0xf8,0x0a,0xcc,0x4d,0xb9,
+ 0x77,0x02,0x5e,0x7f,0x59,0x24,0x38,0x8c,0x7e,0x34,0x0a,0x73,0x2e,0x55,0x44,0x40,
+ 0xe7,0x65,0x70,0xf8,0xdd,0x71,0xb7,0xd6,0x40,0xb3,0x45,0x0d,0x1f,0xd5,0xf0,0x41,
+ 0x0a,0x18,0xf9,0xa3,0x49,0x4f,0x70,0x7c,0x71,0x7b,0x79,0xb4,0xbf,0x75,0xc9,0x84,
+ 0x00,0xb0,0x96,0xb2,0x16,0x53,0xb5,0xd2,0x17,0xcf,0x35,0x65,0xc9,0x59,0x74,0x56,
+ 0xf7,0x07,0x03,0x49,0x7a,0x07,0x87,0x63,0x82,0x9b,0xc0,0x1b,0xb1,0xcb,0xc8,0xfa,
+ 0x04,0xea,0xdc,0x9a,0x6e,0x3f,0x66,0x99,0x58,0x7a,0x9e,0x75,0xc9,0x4e,0x5b,0xab,
+ 0x00,0x36,0xe0,0xb2,0xe7,0x11,0x39,0x2c,0xff,0x00,0x47,0xd0,0xd6,0xb0,0x5b,0xd2,
+ 0xa5,0x88,0xbc,0x10,0x97,0x18,0x95,0x42,0x59,0xf1,0xd8,0x66,0x78,0xa5,0x79,0xa3,
+ 0x12,0x0f,0x19,0xcf,0xb2,0x96,0x3f,0x17,0x7a,0xeb,0x70,0xf2,0xd4,0x84,0x48,0x26,
+ 0x26,0x2e,0x51,0xb8,0x02,0x71,0x27,0x20,0x68,0xef,0x5b,0x38,0x56,0xfa,0x85,0x35,
+ 0xaa,0x2a,0x88,0xb2,0xd4,0x1f,0x2a,0x0e,0x2f,0xda,0x76,0x24,0xc2,0x85,0x02,0x72,
+ 0xac,0x4a,0x2f,0x56,0x1f,0x8f,0x2f,0x7a,0x31,0x8b,0xfd,0x5c,0xaf,0x96,0x96,0x14,
+ 0x9e,0x4a,0xc8,0x24,0xad,0x34,0x60,0x53,0x8f,0xdc,0x25,0x42,0x1b,0xee,0xc2,0xcc,
+ 0x68,0x18,0x16,0x2d,0x06,0xbb,0xed,0x0c,0x40,0xa3,0x87,0x19,0x23,0x49,0xdb,0x67,
+ 0xa1,0x18,0xba,0xda,0x6c,0xd5,0xab,0x01,0x40,0xee,0x27,0x32,0x04,0xf6,0x28,0xaa,
+ 0xd1,0xc1,0x35,0xf7,0x70,0x27,0x9a,0x65,0x1e,0x24,0xd8,0xc1,0x4d,0x75,0xa6,0x05,
+ 0x9d,0x76,0xb9,0x6a,0x6f,0xd8,0x57,0xde,0xf5,0xe0,0xb3,0x54,0xb2,0x7a,0xb9,0x37,
+ 0xa5,0x81,0x5d,0x16,0xb5,0xfa,0xe4,0x07,0xff,0x18,0x22,0x2c,0x6d,0x1e,0xd2,0x63,
+ 0xbe,0x68,0xc9,0x5f,0x32,0xd9,0x08,0xbd,0x89,0x5c,0xd7,0x62,0x07,0xae,0x72,0x64,
+ 0x87,0x56,0x7f,0x9a,0x67,0xda,0xd7,0x9a,0xbe,0xc3,0x16,0xf6,0x83,0xb1,0x7f,0x2d,
+ 0x02,0xbf,0x07,0xe0,0xac,0x8b,0x5b,0xc6,0x16,0x2c,0xf9,0x46,0x97,0xb3,0xc2,0x7c,
+ 0xd1,0xfe,0xa4,0x9b,0x27,0xf2,0x3b,0xa2,0x90,0x18,0x71,0x96,0x25,0x06,0x52,0x0c,
+ 0x39,0x2d,0xa8,0xb6,0xad,0x0d,0x99,0xf7,0x01,0x3f,0xbc,0x06,0xc2,0xc1,0x7a,0x56,
+ 0x95,0x00,0xc8,0xa7,0x69,0x64,0x81,0xc1,0xcd,0x33,0xe9,0xb1,0x4e,0x40,0xb8,0x2e,
+ 0x79,0xa5,0xf5,0xdb,0x82,0x57,0x1b,0xa9,0x7b,0xae,0x3a,0xd3,0xe0,0x47,0x95,0x15,
+ 0xbb,0x0e,0x2b,0x0f,0x3b,0xfc,0xd1,0xfd,0x33,0x03,0x4e,0xfc,0x62,0x45,0xed,0xdd,
+ 0x7e,0xe2,0x08,0x6d,0xda,0xe2,0x60,0x0d,0x8c,0xa7,0x3e,0x21,0x4e,0x8c,0x2b,0x0b,
+ 0xdb,0x2b,0x04,0x7c,0x6a,0x46,0x4a,0x56,0x2e,0xd7,0x7b,0x73,0xd2,0xd8,0x41,0xc4,
+ 0xb3,0x49,0x73,0x55,0x12,0x57,0x71,0x3b,0x75,0x36,0x32,0xef,0xba,0x34,0x81,0x69,
+ 0xab,0xc9,0x0a,0x68,0xf4,0x26,0x11,0xa4,0x01,0x26,0xd7,0xcb,0x21,0xb5,0x86,0x95,
+ 0x56,0x81,0x86,0xf7,0xe5,0x69,0xd2,0xff,0x0f,0x9e,0x74,0x5d,0x04,0x87,0xdd,0x2e,
+ 0xb9,0x97,0xca,0xfc,0x5a,0xbf,0x9d,0xd1,0x02,0xe6,0x2f,0xf6,0x6c,0xba,0x87),
+ chunk_from_chars(
+ 0xe3,0x01,0x34,0x5a,0x41,0xa3,0x9a,0x4d,0x72,0xff,0xf8,0xdf,0x69,0xc9,0x80,0x75,
+ 0xa0,0xcc,0x08,0x2b,0x80,0x2f,0xc9,0xb2,0xb6,0xbc,0x50,0x3f,0x92,0x6b,0x65,0xbd,
+ 0xdf,0x7f,0x4c,0x8f,0x1c,0xb4,0x9f,0x63,0x96,0xaf,0xc8,0xa7,0x0a,0xbe,0x6d,0x8a,
+ 0xef,0x0d,0xb4,0x78,0xd4,0xc6,0xb2,0x97,0x00,0x76,0xc6,0xa0,0x48,0x4f,0xe7,0x6d,
+ 0x76,0xb3,0xa9,0x76,0x25,0xd7,0x9f,0x1c,0xe2,0x40,0xe7,0xc5,0x76,0x75,0x0d,0x29,
+ 0x55,0x28,0x28,0x6f,0x71,0x9b,0x41,0x3d,0xe9,0xad,0xa3,0xe8,0xeb,0x78,0xed,0x57,
+ 0x36,0x03,0xce,0x30,0xd8,0xbb,0x76,0x17,0x85,0xdc,0x30,0xdb,0xc3,0x20,0x86,0x9e,
+ 0x1a,0x00),
+ chunk_from_chars(
+ 0x89,0x30,0xb4,0x62,0xe0,0x28,0x45,0xf1,0x37,0xc0,0x0e,0x47,0xfe,0x64,0x3d,0x07,
+ 0x02,0x7b,0x66,0xec),
+ chunk_from_chars(
+ 0xc1,0x6c,0x19,0x0e,0x3e,0xe9,0x2c,0x5e,0xd0,0x35,0x19,0x93,0x77,0x2c,0xd6,0x38,
+ 0xf0,0xbc,0xe1,0x62),
+ },
+};
+
+START_TEST(test_ed448_sign)
+{
+ private_key_t *key;
+ public_key_t *pubkey, *public;
+ chunk_t sig, encoding, fp;
+
+ /* load private key */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
+ ck_assert_chunk_eq(encoding, sig_tests[_i].key);
+ chunk_free(&encoding);
+
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
+ /* load public key */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
+ ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey);
+ chunk_free(&encoding);
+
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp);
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp));
+ ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp);
+
+ /* compare public keys */
+ public = key->get_public_key(key);
+ ck_assert(public != NULL);
+ ck_assert(public->equals(public, pubkey));
+
+ /* sign */
+ ck_assert(key->sign(key, SIGN_ED448, NULL, sig_tests[_i].msg, &sig));
+ ck_assert_chunk_eq(sig, sig_tests[_i].sig);
+
+ /* verify */
+ ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[_i].msg,
+ sig_tests[_i].sig));
+
+ /* cleanup */
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ public->destroy(public);
+ chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed448_gen)
+{
+ private_key_t *key, *key2;
+ public_key_t *pubkey, *pubkey2;
+ chunk_t msg = chunk_from_str("Ed448"), sig, encoding, fp_priv, fp_pub;
+
+ /* generate private key */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_KEY_SIZE, 456, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->get_type(key) == KEY_ED448);
+ ck_assert(key->get_keysize(key) == 456);
+ ck_assert(!key->get_encoding(key, PRIVKEY_PGP, &encoding));
+ ck_assert(key->get_encoding(key, PRIVKEY_PEM, &encoding));
+ ck_assert(encoding.ptr != NULL);
+ ck_assert(strstr(encoding.ptr, "PRIVATE KEY"));
+ chunk_free(&encoding);
+
+ /* clone private key */
+ key2 = key->get_ref(key);
+ ck_assert(key2);
+ key2->destroy(key2);
+
+ /* decryption not supported */
+ ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL));
+
+ /* wrong signature scheme */
+ ck_assert(!key->sign(key, SIGN_ED25519, NULL, msg, &sig));
+
+ /* correct signature scheme*/
+ ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig));
+
+ /* export public key */
+ pubkey = key->get_public_key(key);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->get_type(pubkey) == KEY_ED448);
+ ck_assert(pubkey->get_keysize(pubkey) == 456);
+ ck_assert(pubkey->get_encoding(pubkey, PUBKEY_PEM, &encoding));
+ ck_assert(encoding.ptr != NULL);
+ ck_assert(strstr(encoding.ptr, "PUBLIC KEY"));
+ chunk_free(&encoding);
+
+ /* generate and compare public and private key fingerprints */
+ ck_assert(!key->get_fingerprint(key, KEYID_PGPV4, &fp_priv));
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+ ck_assert(fp_priv.ptr != NULL);
+ ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp_pub));
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+ ck_assert(fp_pub.ptr != NULL);
+ ck_assert_chunk_eq(fp_pub, fp_priv);
+
+ /* clone public key */
+ pubkey2 = pubkey->get_ref(pubkey);
+ ck_assert(pubkey2 != NULL);
+ pubkey2->destroy(pubkey2);
+
+ /* encryption not supported */
+ ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL));
+
+ /* verify with wrong signature scheme */
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig));
+
+ /* verify with correct signature scheme */
+ ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig));
+
+ /* cleanup */
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed448_speed)
+{
+ private_key_t *key;
+ public_key_t *pubkey;
+ chunk_t msg = chunk_from_str("Hello Ed448"), sig;
+ int i, count = 500;
+
+#ifdef HAVE_CLOCK_GETTIME
+ struct timespec start, stop;
+ clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start);
+#endif
+
+ for (i = 0; i < count; i++)
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_KEY_SIZE, 456, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig));
+ pubkey = key->get_public_key(key);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig));
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ chunk_free(&sig);
+ }
+
+#ifdef HAVE_CLOCK_GETTIME
+ clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop);
+ DBG0(DBG_LIB, "%d Ed448 keys and signatures in %d ms\n", count,
+ (stop.tv_nsec - start.tv_nsec) / 1000000 +
+ (stop.tv_sec - start.tv_sec) * 1000);
+#endif
+}
+END_TEST
+
+static chunk_t zero_pk = chunk_from_chars(
+ 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00);
+
+/* sig_tests[0].sig with s+L, note that only the 9 most significant bits are 0 */
+static chunk_t malleable_sig = chunk_from_chars(
+ 0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae,
+ 0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f,
+ 0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78,
+ 0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xf2,0x52,0x78,0xd3,0x66,0x74,0x03,
+ 0xc1,0x4b,0xce,0xc5,0xf9,0xcf,0xde,0x99,0x55,0xeb,0xc8,0x33,0x3c,0x0a,0xe7,0x8f,
+ 0xc8,0x6e,0x51,0x83,0x17,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb,
+ 0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65,
+ 0x66,0x00);
+
+START_TEST(test_ed448_fail)
+{
+ private_key_t *key;
+ public_key_t *pubkey;
+ chunk_t blob, sig;
+ uint8_t sig1[114];
+
+ /* Invalid private key format */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(key == NULL);
+
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_EDDSA_PRIV_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(key == NULL);
+
+ blob = chunk_from_chars(0x04, 0x01, 0x9d);
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448,
+ BUILD_EDDSA_PRIV_ASN1_DER, blob, BUILD_END);
+ ck_assert(key == NULL);
+
+ /* Invalid public key format */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x71, 0x03, 0x02, 0x00, 0xd7);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x00,
+ 0x71, 0x03, 0x02, 0x00, 0xd7);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_KEY_SIZE, 456, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ /* Invalid signature format */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END);
+ ck_assert(pubkey != NULL);
+
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, chunk_empty,
+ chunk_empty));
+
+ /* RFC 8032, section 5.2.7 requires that 0 <= s < L to prevent signature
+ * malleability. Only a warning because OpenSSL is vulnerable to this. */
+ if (pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+ malleable_sig))
+ {
+ warn("Ed448 signature verification is vulnerable to malleable "
+ "signatures");
+ }
+
+ /* malformed signature */
+ sig = chunk_from_thing(sig1);
+ memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len);
+ sig1[113] |= 0xFF;
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+ sig));
+
+ /* wrong signature */
+ memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len);
+ sig1[0] = 0xe4;
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+ sig));
+
+ /* detect all-zeroes public key */
+ pubkey->destroy(pubkey);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448,
+ BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
+ ck_assert(pubkey != NULL);
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg,
+ sig));
+ pubkey->destroy(pubkey);
+}
+END_TEST
+
+Suite *ed448_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("ed448");
+
+ tc = tcase_create("ed448_sign");
+ tcase_add_loop_test(tc, test_ed448_sign, 0, countof(sig_tests));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed448_gen");
+ tcase_add_test(tc, test_ed448_gen);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed448_fail");
+ tcase_add_test(tc, test_ed448_fail);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed448_speed");
+ test_case_set_timeout(tc, 10);
+ tcase_add_test(tc, test_ed448_speed);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c
index e6dc7744a..a71fa0ce5 100644
--- a/src/libstrongswan/tests/suites/test_rsa.c
+++ b/src/libstrongswan/tests/suites/test_rsa.c
@@ -40,7 +40,7 @@ static signature_scheme_t schemes[] = {
static rsa_pss_params_t default_pss_params = {
.hash = HASH_SHA256,
.mgf1_hash = HASH_SHA256,
- .salt_len = RSA_PSS_SALT_LEN_DEFAULT,
+ .salt_len = HASH_SIZE_SHA256,
};
/**
diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c
index 38cb5803f..cbf1a2861 100644
--- a/src/libstrongswan/tests/suites/test_signature_params.c
+++ b/src/libstrongswan/tests/suites/test_signature_params.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -138,27 +138,27 @@ static struct {
0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,
0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03,
0x02,0x01,0x20),
- { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }},
/* default salt length: SHA-1 */
{ chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00),
- { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }},
/* default salt length: SHA-224 */
{ chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0,
0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00,
0xa2,0x03,0x02,0x01,0x1c),
- { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA224, }},
/* default salt length: SHA-384 */
{ chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0,
0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00,
0xa2,0x03,0x02,0x01,0x30),
- { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA384, }},
/* SHA-512 */
{ chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0,
0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,
0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,
0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03,
0x02,0x01,0x40),
- { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA512, }},
/* SHA-256, no salt */
{ chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0,
0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,
@@ -199,6 +199,8 @@ rsa_pss_params_t rsa_pss_build_invalid_tests[] = {
{ .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, },
/* invalid mgf */
{ .hash = HASH_SHA256, .mgf1_hash = HASH_UNKNOWN, .salt_len = HASH_SIZE_SHA256, },
+ /* undetermined salt */
+ { .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, },
};
START_TEST(test_rsa_pss_params_build_invalid)
@@ -209,6 +211,49 @@ START_TEST(test_rsa_pss_params_build_invalid)
}
END_TEST
+
+static struct {
+ ssize_t expected;
+ size_t modbits;
+ rsa_pss_params_t params;
+} rsa_pss_salt_len_tests[] = {
+ { HASH_SIZE_SHA256, 0,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { HASH_SIZE_SHA256, 3072,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }},
+ { -1, 0,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 0, 256,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 350, 3071,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 350, 3072,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 350, 3073,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 478, 4096,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }},
+ { 10, 0,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }},
+ { 10, 3072,
+ { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }},
+};
+
+START_TEST(test_rsa_pss_params_set_salt_len)
+{
+ if (rsa_pss_params_set_salt_len(&rsa_pss_salt_len_tests[_i].params,
+ rsa_pss_salt_len_tests[_i].modbits))
+ {
+ ck_assert_int_eq(rsa_pss_salt_len_tests[_i].expected,
+ rsa_pss_salt_len_tests[_i].params.salt_len);
+ }
+ else
+ {
+ ck_assert(rsa_pss_salt_len_tests[_i].expected < 0);
+ }
+}
+END_TEST
+
static rsa_pss_params_t rsa_pss_params_sha1 = { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, };
static rsa_pss_params_t rsa_pss_params_sha256 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, };
static rsa_pss_params_t rsa_pss_params_sha256_mgf1 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA256, };
@@ -430,6 +475,10 @@ Suite *signature_params_suite_create()
tcase_add_loop_test(tc, test_rsa_pss_params_build_invalid, 0, countof(rsa_pss_build_invalid_tests));
suite_add_tcase(s, tc);
+ tc = tcase_create("rsa/pss salt len");
+ tcase_add_loop_test(tc, test_rsa_pss_params_set_salt_len, 0, countof(rsa_pss_salt_len_tests));
+ suite_add_tcase(s, tc);
+
tc = tcase_create("params compare");
tcase_add_loop_test(tc, test_params_compare, 0, countof(params_compare_tests));
tcase_add_test(tc, test_params_compare_null);
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 9fc38d480..26ff161a4 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -52,5 +52,6 @@ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256)
TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519)
+TEST_SUITE_DEPEND(ed448_suite_create, PRIVKEY_GEN, KEY_ED448)
TEST_SUITE(signature_params_suite_create)
diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h
index e60cd8ad0..0dbe9dc80 100644
--- a/src/libstrongswan/utils/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -332,7 +332,7 @@ static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b)
}
/**
- * Increment a chunk, as it would reprensent a network order integer.
+ * Increment a chunk, as it would represent a network order integer.
*
* @param chunk chunk to increment
* @return TRUE if an overflow occurred
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index efeb0f478..63b7453f3 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -582,6 +582,16 @@ static char *whitelist[] = {
"OPENSSL_init_crypto",
"CRYPTO_THREAD_lock_new",
"ERR_add_error_data",
+ "ERR_set_mark",
+ "ENGINE_load_builtin_engines",
+ "OPENSSL_load_builtin_modules",
+ "CONF_modules_load_file",
+ "CONF_module_add",
+ "RAND_DRBG_bytes",
+ "RAND_DRBG_generate",
+ "RAND_DRBG_get0_master",
+ "RAND_DRBG_get0_private",
+ "RAND_DRBG_get0_public",
/* OpenSSL libssl */
"SSL_COMP_get_compression_methods",
/* NSPR */
@@ -619,6 +629,7 @@ static char *whitelist[] = {
"botan_privkey_create_ecdsa",
"botan_privkey_create_ecdh",
"botan_privkey_load_ecdh",
+ "botan_privkey_load",
};
/**
@@ -673,7 +684,8 @@ static int print_traces(private_leak_detective_t *this,
int leaks = 0;
memory_header_t *hdr;
enumerator_t *enumerator;
- hashtable_t *entries;
+ hashtable_t *entries, *ignored = NULL;
+ backtrace_t *bt;
struct {
/** associated backtrace */
backtrace_t *backtrace;
@@ -688,15 +700,32 @@ static int print_traces(private_leak_detective_t *this,
entries = hashtable_create((hashtable_hash_t)hash,
(hashtable_equals_t)equals, 1024);
+ if (whitelisted)
+ {
+ ignored = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 1024);
+ }
+
lock->lock(lock);
for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
{
- if (whitelisted &&
- hdr->backtrace->contains_function(hdr->backtrace,
- whitelist, countof(whitelist)))
+ if (whitelisted)
{
- (*whitelisted)++;
- continue;
+ bt = ignored->get(ignored, hdr->backtrace);
+ if (!bt)
+ {
+ if (hdr->backtrace->contains_function(hdr->backtrace, whitelist,
+ countof(whitelist)))
+ {
+ bt = hdr->backtrace;
+ ignored->put(ignored, bt, bt);
+ }
+ }
+ if (bt)
+ {
+ (*whitelisted)++;
+ continue;
+ }
}
entry = entries->get(entries, hdr->backtrace);
if (entry)
@@ -720,6 +749,7 @@ static int print_traces(private_leak_detective_t *this,
leaks++;
}
lock->unlock(lock);
+ DESTROY_IF(ignored);
enumerator = entries->create_enumerator(entries);
while (enumerator->enumerate(enumerator, NULL, &entry))
diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c
index 3b7582ae3..d946fbe56 100644
--- a/src/libtpmtss/plugins/tpm/tpm_private_key.c
+++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2017 Andreas Steffen
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2017-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -75,6 +76,12 @@ METHOD(private_key_t, get_keysize, int,
return this->pubkey->get_keysize(this->pubkey);
}
+METHOD(private_key_t, supported_signature_schemes, enumerator_t*,
+ private_tpm_private_key_t *this)
+{
+ return this->tpm->supported_signature_schemes(this->tpm, this->handle);
+}
+
METHOD(private_key_t, sign, bool,
private_tpm_private_key_t *this, signature_scheme_t scheme, void *params,
chunk_t data, chunk_t *signature)
@@ -201,6 +208,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args)
.sign = _sign,
.decrypt = _decrypt,
.get_keysize = _get_keysize,
+ .supported_signature_schemes = _supported_signature_schemes,
.get_public_key = _get_public_key,
.equals = private_key_equals,
.belongs_to = private_key_belongs_to,
diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h
index 11e4a7c15..aab7a4d6c 100644
--- a/src/libtpmtss/tpm_tss.h
+++ b/src/libtpmtss/tpm_tss.h
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2018 Tobias Brunner
+ * Copyright (C) 2016-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -80,6 +81,15 @@ struct tpm_tss_t {
chunk_t (*get_public)(tpm_tss_t *this, uint32_t handle);
/**
+ * Return signature schemes supported by the given key (TPM 2.0 only)
+ *
+ * @param handle key object handle
+ * @return enumerator over signature_params_t*
+ */
+ enumerator_t *(*supported_signature_schemes)(tpm_tss_t *this,
+ uint32_t handle);
+
+ /**
* Retrieve the current value of a PCR register in a given PCR bank
*
* @param pcr_num PCR number
diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c
index 81e542d02..937373354 100644
--- a/src/libtpmtss/tpm_tss_trousers.c
+++ b/src/libtpmtss/tpm_tss_trousers.c
@@ -390,6 +390,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
return aik_pubkey;
}
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+ private_tpm_tss_trousers_t *this, uint32_t handle)
+{
+ return enumerator_create_empty();
+}
+
METHOD(tpm_tss_t, read_pcr, bool,
private_tpm_tss_trousers_t *this, uint32_t pcr_num, chunk_t *pcr_value,
hash_algorithm_t alg)
@@ -642,6 +648,7 @@ tpm_tss_t *tpm_tss_trousers_create()
.get_version_info = _get_version_info,
.generate_aik = _generate_aik,
.get_public = _get_public,
+ .supported_signature_schemes = _supported_signature_schemes,
.read_pcr = _read_pcr,
.extend_pcr = _extend_pcr,
.quote = _quote,
diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c
index 9ed2798f7..f904442ed 100644
--- a/src/libtpmtss/tpm_tss_tss2_v1.c
+++ b/src/libtpmtss/tpm_tss_tss2_v1.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2016-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -24,9 +25,9 @@
#include <tpm20.h>
-#ifdef TSS2_TCTI_TABRMD_V1
+#ifdef TSS2_TCTI_TABRMD
#include <tcti/tcti-tabrmd.h>
-#endif /* TSS2_TCTI_TABRMD_V1 */
+#endif /* TSS2_TCTI_TABRMD */
#ifdef TSS2_TCTI_SOCKET
#include <tcti_socket.h>
@@ -68,6 +69,12 @@ struct private_tpm_tss_tss2_t {
* List of supported algorithms
*/
TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET];
+
+ /**
+ * Is TPM FIPS 186-4 compliant ?
+ */
+ bool fips_186_4;
+
};
/**
@@ -153,6 +160,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
TPMS_TAGGED_PROPERTY tp;
TPMI_YES_NO more_data;
TPM_ALG_ID alg;
+ bool fips_140_2 = FALSE;
uint32_t rval, i, offset, revision = 0, year = 0;
size_t len = BUF_LEN;
char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1);
htoun32(vendor_string + offset, tp.value);
break;
+ case TPM_PT_MODES:
+ if (tp.value & TPMA_MODES_FIPS_140_2)
+ {
+ this->fips_186_4 = fips_140_2 = TRUE;
+ }
+ break;
default:
break;
}
}
- DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
- vendor_string, (float)revision/100, year);
+
+ if (!fips_140_2)
+ {
+ this->fips_186_4 = lib->settings->get_bool(lib->settings,
+ "%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
+ }
+ DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
+ manufacturer, vendor_string, (float)revision/100, year,
+ fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
/* get supported algorithms */
rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
@@ -400,7 +421,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t,
}
/**
- * read the public key portion of a TSS 2.0 AIK key from NVRAM
+ * read the public key portion of a TSS 2.0 key from NVRAM
*/
bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
TPM2B_PUBLIC *public)
@@ -450,9 +471,9 @@ METHOD(tpm_tss_t, get_public, chunk_t,
}
aik_blob = chunk_create((u_char*)&public, sizeof(public));
- DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);
+ DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob);
- /* convert TSS 2.0 AIK public key blot into PKCS#1 format */
+ /* convert TSS 2.0 public key blot into PKCS#1 format */
switch (public.t.publicArea.type)
{
case TPM_ALG_RSA:
@@ -469,12 +490,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
- /* subjectPublicKeyInfo encoding of AIK RSA key */
+ /* subjectPublicKeyInfo encoding of RSA public key */
if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
{
- DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
+ DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key "
"failed", LABEL);
return chunk_empty;
}
@@ -505,7 +526,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
pos += ecc->x.t.size;
/* copy y coordinate of ECC point */
memcpy(pos, ecc->y.t.buffer, ecc->y.t.size);
- /* subjectPublicKeyInfo encoding of AIK ECC key */
+ /* subjectPublicKeyInfo encoding of ECC public key */
aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EC_PUBLICKEY),
@@ -515,14 +536,101 @@ METHOD(tpm_tss_t, get_public, chunk_t,
break;
}
default:
- DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
+ DBG1(DBG_PTS, "%s unsupported key type", LABEL);
return chunk_empty;
}
- DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash",
+ DBG1(DBG_PTS, "signature algorithm is %N with %N hash",
tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg);
return aik_pubkey;
}
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+ private_tpm_tss_tss2_t *this, uint32_t handle)
+{
+ TPM2B_PUBLIC public = { { 0, } };
+ hash_algorithm_t digest;
+ signature_params_t supported_scheme;
+
+ if (!read_public(this, handle, &public))
+ {
+ return enumerator_create_empty();
+ }
+
+ switch (public.t.publicArea.type)
+ {
+ case TPM_ALG_RSA:
+ {
+ TPMS_RSA_PARMS *rsa;
+ TPMT_RSA_SCHEME *scheme;
+
+ rsa = &public.t.publicArea.parameters.rsaDetail;
+ scheme = &rsa->scheme;
+ digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+ switch (scheme->scheme)
+ {
+ case TPM_ALG_RSAPSS:
+ {
+ ssize_t salt_len;
+
+ salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
+ RSA_PSS_SALT_LEN_MAX;
+ rsa_pss_params_t pss_params = {
+ .hash = digest,
+ .mgf1_hash = digest,
+ .salt_len = salt_len,
+ };
+ supported_scheme = (signature_params_t){
+ .scheme = SIGN_RSA_EMSA_PSS,
+ .params = &pss_params,
+ };
+ if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits))
+ {
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ case TPM_ALG_RSASSA:
+ supported_scheme = (signature_params_t){
+ .scheme = signature_scheme_from_oid(
+ hasher_signature_algorithm_to_oid(digest,
+ KEY_RSA)),
+ };
+ break;
+ default:
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ case TPM_ALG_ECC:
+ {
+ TPMT_ECC_SCHEME *scheme;
+
+ scheme = &public.t.publicArea.parameters.eccDetail.scheme;
+ digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+ switch (scheme->scheme)
+ {
+ case TPM_ALG_ECDSA:
+ supported_scheme = (signature_params_t){
+ .scheme = signature_scheme_from_oid(
+ hasher_signature_algorithm_to_oid(digest,
+ KEY_ECDSA)),
+ };
+ break;
+ default:
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ default:
+ DBG1(DBG_PTS, "%s unsupported key type", LABEL);
+ return enumerator_create_empty();
+ }
+ return enumerator_create_single(signature_params_clone(&supported_scheme),
+ (void*)signature_params_destroy);
+}
+
/**
* Configure a PCR Selection assuming a maximum of 24 registers
*/
@@ -809,7 +917,7 @@ METHOD(tpm_tss_t, quote, bool,
DBG1(DBG_PTS, "%s unsupported %N signature algorithm",
LABEL, tpm_alg_id_names, sig.sigAlg);
return FALSE;
- };
+ }
DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg);
pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg);
@@ -1036,7 +1144,7 @@ METHOD(tpm_tss_t, sign, bool,
DBG1(DBG_PTS, "%s unsupported %N signature scheme",
LABEL, signature_scheme_names, scheme);
return FALSE;
- };
+ }
return TRUE;
}
@@ -1174,6 +1282,7 @@ tpm_tss_t *tpm_tss_tss2_create()
.get_version_info = _get_version_info,
.generate_aik = _generate_aik,
.get_public = _get_public,
+ .supported_signature_schemes = _supported_signature_schemes,
.read_pcr = _read_pcr,
.extend_pcr = _extend_pcr,
.quote = _quote,
diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c
index 7cb0d48a9..6bbbce238 100644
--- a/src/libtpmtss/tpm_tss_tss2_v2.c
+++ b/src/libtpmtss/tpm_tss_tss2_v2.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -64,6 +65,12 @@ struct private_tpm_tss_tss2_t {
* List of supported algorithms
*/
TPM2_ALG_ID supported_algs[TPM2_PT_ALGORITHM_SET];
+
+ /**
+ * Is TPM FIPS 186-4 compliant ?
+ */
+ bool fips_186_4;
+
};
/**
@@ -152,6 +159,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
TPMS_TAGGED_PROPERTY tp;
TPMI_YES_NO more_data;
TPM2_ALG_ID alg;
+ bool fips_140_2 = FALSE;
uint32_t rval, i, offset, revision = 0, year = 0;
size_t len = BUF_LEN;
char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
offset = 4 * (tp.property - TPM2_PT_VENDOR_STRING_1);
htoun32(vendor_string + offset, tp.value);
break;
+ case TPM2_PT_MODES:
+ if (tp.value & TPMA_MODES_FIPS_140_2)
+ {
+ this->fips_186_4 = fips_140_2 = TRUE;
+ }
+ break;
default:
break;
}
}
- DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
- vendor_string, (float)revision/100, year);
+
+ if (!fips_140_2)
+ {
+ this->fips_186_4 = lib->settings->get_bool(lib->settings,
+ "%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
+ }
+ DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
+ manufacturer, vendor_string, (float)revision/100, year,
+ fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
/* get supported algorithms */
rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM2_CAP_ALGS,
@@ -360,7 +381,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t,
}
/**
- * read the public key portion of a TSS 2.0 AIK key from NVRAM
+ * read the public key portion of a TSS 2.0 key from NVRAM
*/
bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
TPM2B_PUBLIC *public)
@@ -404,9 +425,9 @@ METHOD(tpm_tss_t, get_public, chunk_t,
}
aik_blob = chunk_create((u_char*)&public, sizeof(public));
- DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob);
+ DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob);
- /* convert TSS 2.0 AIK public key blot into PKCS#1 format */
+ /* convert TSS 2.0 public key blot into PKCS#1 format */
switch (public.publicArea.type)
{
case TPM2_ALG_RSA:
@@ -423,12 +444,12 @@ METHOD(tpm_tss_t, get_public, chunk_t,
aik_modulus = chunk_create(rsa->buffer, rsa->size);
aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
- /* subjectPublicKeyInfo encoding of AIK RSA key */
+ /* subjectPublicKeyInfo encoding of RSA public key */
if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
{
- DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
+ DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key "
"failed", LABEL);
return chunk_empty;
}
@@ -459,7 +480,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
pos += ecc->x.size;
/* copy y coordinate of ECC point */
memcpy(pos, ecc->y.buffer, ecc->y.size);
- /* subjectPublicKeyInfo encoding of AIK ECC key */
+ /* subjectPublicKeyInfo encoding of ECC public key */
aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EC_PUBLICKEY),
@@ -469,14 +490,101 @@ METHOD(tpm_tss_t, get_public, chunk_t,
break;
}
default:
- DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL);
+ DBG1(DBG_PTS, "%s unsupported key type", LABEL);
return chunk_empty;
}
- DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash",
+ DBG1(DBG_PTS, "signature algorithm is %N with %N hash",
tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg);
return aik_pubkey;
}
+METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
+ private_tpm_tss_tss2_t *this, uint32_t handle)
+{
+ TPM2B_PUBLIC public = { 0, };
+ hash_algorithm_t digest;
+ signature_params_t supported_scheme;
+
+ if (!read_public(this, handle, &public))
+ {
+ return enumerator_create_empty();
+ }
+
+ switch (public.publicArea.type)
+ {
+ case TPM2_ALG_RSA:
+ {
+ TPMS_RSA_PARMS *rsa;
+ TPMT_RSA_SCHEME *scheme;
+
+ rsa = &public.publicArea.parameters.rsaDetail;
+ scheme = &rsa->scheme;
+ digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+ switch (scheme->scheme)
+ {
+ case TPM2_ALG_RSAPSS:
+ {
+ ssize_t salt_len;
+
+ salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
+ RSA_PSS_SALT_LEN_MAX;
+ rsa_pss_params_t pss_params = {
+ .hash = digest,
+ .mgf1_hash = digest,
+ .salt_len = salt_len,
+ };
+ supported_scheme = (signature_params_t){
+ .scheme = SIGN_RSA_EMSA_PSS,
+ .params = &pss_params,
+ };
+ if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits))
+ {
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ case TPM2_ALG_RSASSA:
+ supported_scheme = (signature_params_t){
+ .scheme = signature_scheme_from_oid(
+ hasher_signature_algorithm_to_oid(digest,
+ KEY_RSA)),
+ };
+ break;
+ default:
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ case TPM2_ALG_ECC:
+ {
+ TPMT_ECC_SCHEME *scheme;
+
+ scheme = &public.publicArea.parameters.eccDetail.scheme;
+ digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg);
+
+ switch (scheme->scheme)
+ {
+ case TPM2_ALG_ECDSA:
+ supported_scheme = (signature_params_t){
+ .scheme = signature_scheme_from_oid(
+ hasher_signature_algorithm_to_oid(digest,
+ KEY_ECDSA)),
+ };
+ break;
+ default:
+ return enumerator_create_empty();
+ }
+ break;
+ }
+ default:
+ DBG1(DBG_PTS, "%s unsupported key type", LABEL);
+ return enumerator_create_empty();
+ }
+ return enumerator_create_single(signature_params_clone(&supported_scheme),
+ (void*)signature_params_destroy);
+}
+
/**
* Configure a PCR Selection assuming a maximum of 24 registers
*/
@@ -729,7 +837,7 @@ METHOD(tpm_tss_t, quote, bool,
DBG1(DBG_PTS, "%s unsupported %N signature algorithm",
LABEL, tpm_alg_id_names, sig.sigAlg);
return FALSE;
- };
+ }
DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg);
pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg);
@@ -940,7 +1048,7 @@ METHOD(tpm_tss_t, sign, bool,
DBG1(DBG_PTS, "%s unsupported %N signature scheme",
LABEL, signature_scheme_names, scheme);
return FALSE;
- };
+ }
return TRUE;
}
@@ -1061,6 +1169,7 @@ tpm_tss_t *tpm_tss_tss2_create()
.get_version_info = _get_version_info,
.generate_aik = _generate_aik,
.get_public = _get_public,
+ .supported_signature_schemes = _supported_signature_schemes,
.read_pcr = _read_pcr,
.extend_pcr = _extend_pcr,
.quote = _quote,
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index d1ea5c65e..4cbe06c9e 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -228,6 +228,11 @@ static int acert()
goto end;
}
scheme = get_signature_scheme(private, digest, pss);
+ if (!scheme)
+ {
+ error = "no signature scheme found";
+ goto end;
+ }
ac = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_AC,
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 1ccbca89f..b117fa171 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -536,6 +536,11 @@ static int issue()
chunk_from_chars(ASN1_SEQUENCE, 0));
}
scheme = get_signature_scheme(private, digest, pss);
+ if (!scheme)
+ {
+ error = "no signature scheme found";
+ goto end;
+ }
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index cfddbc455..8f5380a4a 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -168,6 +168,11 @@ static int req()
goto end;
}
scheme = get_signature_scheme(private, digest, pss);
+ if (!scheme)
+ {
+ error = "no signature scheme found";
+ goto end;
+ }
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
BUILD_SIGNING_KEY, private,
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6f7adef0f..a08ee9931 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -378,6 +378,11 @@ static int self()
rng->destroy(rng);
}
scheme = get_signature_scheme(private, digest, pss);
+ if (!scheme)
+ {
+ error = "no signature scheme found";
+ goto end;
+ }
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index ca208a5cf..a399d21be 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -399,6 +399,12 @@ static int sign_crl()
chunk_increment(crl_serial);
scheme = get_signature_scheme(private, digest, pss);
+ if (!scheme)
+ {
+ error = "no signature scheme found";
+ goto error;
+ }
+
enumerator = enumerator_create_filter(list->create_enumerator(list),
filter, NULL, NULL);
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
diff --git a/src/pki/pki.c b/src/pki/pki.c
index ec60f7d42..d03e96f9b 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
* Copyright (C) 2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private)
signature_params_t *get_signature_scheme(private_key_t *private,
hash_algorithm_t digest, bool pss)
{
- signature_params_t *scheme;
+ signature_params_t *scheme, *selected = NULL;
+ enumerator_t *enumerator;
+
+ if (private->supported_signature_schemes)
+ {
+ enumerator = private->supported_signature_schemes(private);
+ while (enumerator->enumerate(enumerator, &scheme))
+ {
+ if (private->get_type(private) == KEY_RSA &&
+ pss != (scheme->scheme == SIGN_RSA_EMSA_PSS))
+ {
+ continue;
+ }
+ if (digest == HASH_UNKNOWN ||
+ digest == hasher_from_signature_scheme(scheme->scheme,
+ scheme->params))
+ {
+ selected = signature_params_clone(scheme);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return selected;
+ }
if (digest == HASH_UNKNOWN)
{
@@ -281,6 +304,7 @@ signature_params_t *get_signature_scheme(private_key_t *private,
.scheme = SIGN_RSA_EMSA_PSS,
.params = &pss_params,
};
+ rsa_pss_params_set_salt_len(&pss_params, 0);
scheme = signature_params_clone(&pss_scheme);
}
else
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 3f0793cfd..3976c33b7 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
* @param digest hash algorithm (if HASH_UNKNOWN a default is determined
* based on the key)
* @param pss use PSS padding for RSA keys
- * @return allocated signature scheme and parameters
+ * @return allocated signature scheme and parameters (NULL if none
+ * found)
*/
signature_params_t *get_signature_scheme(private_key_t *private,
hash_algorithm_t digest, bool pss);
diff --git a/src/pool/pool.c b/src/pool/pool.c
index b755365ec..ba1889dd8 100644
--- a/src/pool/pool.c
+++ b/src/pool/pool.c
@@ -710,7 +710,6 @@ static enumerator_t *create_lease_query(char *filter, array_t **to_free)
default:
fprintf(stderr, "invalid filter string.\n");
exit(EXIT_FAILURE);
- break;
}
}
query = db->query(db,
@@ -1142,7 +1141,6 @@ static void do_args(int argc, char *argv[])
default:
usage();
exit(EXIT_FAILURE);
- break;
}
break;
}
diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in
index 3e14cbe37..6bd3c642e 100644
--- a/src/pt-tls-client/pt-tls-client.1.in
+++ b/src/pt-tls-client/pt-tls-client.1.in
@@ -1,4 +1,4 @@
-.TH PT-TLS-CLIENT 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan"
+.TH PT-TLS-CLIENT 1 "2018-11-20" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -9,7 +9,7 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
.SY "pt-tls-client"
.BI \-\-connect
.IR hostname |\fIaddress
-.OP \-\-port hex
+.OP \-\-port port
.RB [ \-\-certid
.IR hex |\fB\-\-cert
.IR file ]+
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 83079f3d8..754393455 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -455,6 +455,7 @@ int main(int argc, char **argv)
/* distinguished name for requested certificate, ASCII format */
char *distinguishedName = NULL;
+ char default_distinguished_name[BUF_LEN];
/* challenge password */
char challenge_password_buffer[MAX_PASSWORD_LENGTH];
@@ -1105,16 +1106,16 @@ int main(int argc, char **argv)
{
if (distinguishedName == NULL)
{
- char buf[BUF_LEN];
- int n = sprintf(buf, DEFAULT_DN);
+ int n = sprintf(default_distinguished_name, DEFAULT_DN);
/* set the common name to the hostname */
- if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
+ if (gethostname(default_distinguished_name + n, BUF_LEN - n) ||
+ strlen(default_distinguished_name) == n)
{
exit_scepclient("no hostname defined, use "
"--dn <distinguished name> option");
}
- distinguishedName = buf;
+ distinguishedName = default_distinguished_name;
}
DBG2(DBG_APP, "dn: '%s'", distinguishedName);
diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh
index ca7b89841..16e561459 100755
--- a/src/sec-updater/sec-updater.sh
+++ b/src/sec-updater/sec-updater.sh
@@ -4,11 +4,11 @@ DIR="/etc/pts"
DISTS_DIR="$DIR/dists"
DATE=`date +%Y%m%d-%H%M`
UBUNTU="http://security.ubuntu.com/ubuntu"
-UBUNTU_VERSIONS="xenial"
+UBUNTU_VERSIONS="bionic xenial"
UBUNTU_DIRS="main multiverse restricted universe"
UBUNTU_ARCH="binary-amd64"
DEBIAN="http://security.debian.org"
-DEBIAN_VERSIONS="jessie wheezy"
+DEBIAN_VERSIONS="stretch jessie wheezy"
DEBIAN_DIRS="main contrib non-free"
DEBIAN_ARCH="binary-amd64 binary-armhf"
RASPIAN="http://archive.raspberrypi.org/debian"
@@ -48,8 +48,14 @@ do
mkdir -p $v-updates/$a
for d in $DEBIAN_DIRS
do
- wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2
- bunzip2 -f $v-updates/$a/Packages-$d.bz2
+ if [ $v = "stretch" ]
+ then
+ wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.xz -O $v-updates/$a/Packages-$d.xz
+ unxz -f $v-updates/$a/Packages-$d.xz
+ else
+ wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2
+ bunzip2 -f $v-updates/$a/Packages-$d.bz2
+ fi
done
done
done
@@ -71,6 +77,28 @@ done
# Run sec-updater in distribution information
+for f in bionic-security/binary-amd64/*
+do
+ echo "security: $f"
+ $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f --security \
+ --uri $UBUNTU >> $CMD_LOG 2>&1
+ if [ $? -eq 0 ]
+ then
+ DEL_LOG=0
+ fi
+done
+
+for f in bionic-updates/binary-amd64/*
+do
+ echo "updates: $f"
+ $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f \
+ --uri $UBUNTU >> $CMD_LOG 2>&1
+ if [ $? -eq 0 ]
+ then
+ DEL_LOG=0
+ fi
+done
+
for f in xenial-security/binary-amd64/*
do
echo "security: $f"
@@ -93,6 +121,17 @@ do
fi
done
+for f in stretch-updates/binary-amd64/*
+do
+ echo "security: $f"
+ $CMD --os "Debian 9.0" --arch "x86_64" --file $f --security \
+ --uri $DEBIAN >> $CMD_LOG 2>&1
+ if [ $? -eq 0 ]
+ then
+ DEL_LOG=0
+ fi
+done
+
for f in jessie-updates/binary-amd64/*
do
echo "security: $f"
@@ -115,6 +154,17 @@ do
fi
done
+for f in stretch-updates/binary-armhf/*
+do
+ echo "security: $f"
+ $CMD --os "Debian 9.0" --arch "armhf" --file $f --security \
+ --uri $DEBIAN >> $CMD_LOG 2>&1
+ if [ $? -eq 0 ]
+ then
+ DEL_LOG=0
+ fi
+done
+
for f in jessie-updates/binary-armhf/*
do
echo "security: $f"
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index a8f50169a..f4da67e8a 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
/* Command-line: /usr/bin/gperf -m 10 -C -G -D -t */
/* Computed positions: -k'2-3,6,$' */
@@ -26,7 +26,7 @@
&& ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
&& ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
/* The character set is not based on ISO-646. */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
#endif
@@ -70,9 +70,7 @@ inline
#endif
#endif
static unsigned int
-hash (str, len)
- register const char *str;
- register unsigned int len;
+hash (register const char *str, register size_t len)
{
static const unsigned short asso_values[] =
{
@@ -103,7 +101,7 @@ hash (str, len)
258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
258, 258, 258, 258, 258, 258
};
- register int hval = len;
+ register unsigned int hval = len;
switch (hval)
{
@@ -296,22 +294,14 @@ static const short lookup[] =
138, -1, -1, -1, -1, -1, -1, 139
};
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
const struct kw_entry *
-in_word_set (str, len)
- register const char *str;
- register unsigned int len;
+in_word_set (register const char *str, register size_t len)
{
if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
{
- register int key = hash (str, len);
+ register unsigned int key = hash (str, len);
- if (key <= MAX_HASH_VALUE && key >= 0)
+ if (key <= MAX_HASH_VALUE)
{
register int index = lookup[key];
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index d017134d9..c987f187d 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -197,7 +197,7 @@ struct kw_entry_t {
};
#ifndef IN_GPERF_GENERATED_FILE
-const kw_entry_t *in_word_set(register const char*, register unsigned);
+const kw_entry_t *in_word_set(register const char*, register size_t);
#endif
#endif /* _KEYWORDS_H_ */
diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c
index ff7c75bb7..9fb25e1ee 100644
--- a/src/starter/parser/lexer.c
+++ b/src/starter/parser/lexer.c
@@ -7,7 +7,6 @@
/* A lexical scanner generated by flex */
/* %not-for-header */
-
/* %if-c-only */
/* %if-not-reentrant */
/* %endif */
@@ -17,7 +16,7 @@
#define FLEX_SCANNER
#define YY_FLEX_MAJOR_VERSION 2
#define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 0
+#define YY_FLEX_SUBMINOR_VERSION 4
#if YY_FLEX_SUBMINOR_VERSION > 0
#define FLEX_BETA
#endif
@@ -26,9 +25,230 @@
/* %endif */
/* %if-c-only */
-
+#ifdef yy_create_buffer
+#define conf_parser__create_buffer_ALREADY_DEFINED
+#else
+#define yy_create_buffer conf_parser__create_buffer
+#endif
+
+#ifdef yy_delete_buffer
+#define conf_parser__delete_buffer_ALREADY_DEFINED
+#else
+#define yy_delete_buffer conf_parser__delete_buffer
+#endif
+
+#ifdef yy_scan_buffer
+#define conf_parser__scan_buffer_ALREADY_DEFINED
+#else
+#define yy_scan_buffer conf_parser__scan_buffer
+#endif
+
+#ifdef yy_scan_string
+#define conf_parser__scan_string_ALREADY_DEFINED
+#else
+#define yy_scan_string conf_parser__scan_string
+#endif
+
+#ifdef yy_scan_bytes
+#define conf_parser__scan_bytes_ALREADY_DEFINED
+#else
+#define yy_scan_bytes conf_parser__scan_bytes
+#endif
+
+#ifdef yy_init_buffer
+#define conf_parser__init_buffer_ALREADY_DEFINED
+#else
+#define yy_init_buffer conf_parser__init_buffer
+#endif
+
+#ifdef yy_flush_buffer
+#define conf_parser__flush_buffer_ALREADY_DEFINED
+#else
+#define yy_flush_buffer conf_parser__flush_buffer
+#endif
+
+#ifdef yy_load_buffer_state
+#define conf_parser__load_buffer_state_ALREADY_DEFINED
+#else
+#define yy_load_buffer_state conf_parser__load_buffer_state
+#endif
+
+#ifdef yy_switch_to_buffer
+#define conf_parser__switch_to_buffer_ALREADY_DEFINED
+#else
+#define yy_switch_to_buffer conf_parser__switch_to_buffer
+#endif
+
+#ifdef yypush_buffer_state
+#define conf_parser_push_buffer_state_ALREADY_DEFINED
+#else
+#define yypush_buffer_state conf_parser_push_buffer_state
+#endif
+
+#ifdef yypop_buffer_state
+#define conf_parser_pop_buffer_state_ALREADY_DEFINED
+#else
+#define yypop_buffer_state conf_parser_pop_buffer_state
+#endif
+
+#ifdef yyensure_buffer_stack
+#define conf_parser_ensure_buffer_stack_ALREADY_DEFINED
+#else
+#define yyensure_buffer_stack conf_parser_ensure_buffer_stack
+#endif
+
+#ifdef yylex
+#define conf_parser_lex_ALREADY_DEFINED
+#else
+#define yylex conf_parser_lex
+#endif
+
+#ifdef yyrestart
+#define conf_parser_restart_ALREADY_DEFINED
+#else
+#define yyrestart conf_parser_restart
+#endif
+
+#ifdef yylex_init
+#define conf_parser_lex_init_ALREADY_DEFINED
+#else
+#define yylex_init conf_parser_lex_init
+#endif
+
+#ifdef yylex_init_extra
+#define conf_parser_lex_init_extra_ALREADY_DEFINED
+#else
+#define yylex_init_extra conf_parser_lex_init_extra
+#endif
+
+#ifdef yylex_destroy
+#define conf_parser_lex_destroy_ALREADY_DEFINED
+#else
+#define yylex_destroy conf_parser_lex_destroy
+#endif
+
+#ifdef yyget_debug
+#define conf_parser_get_debug_ALREADY_DEFINED
+#else
+#define yyget_debug conf_parser_get_debug
+#endif
+
+#ifdef yyset_debug
+#define conf_parser_set_debug_ALREADY_DEFINED
+#else
+#define yyset_debug conf_parser_set_debug
+#endif
+
+#ifdef yyget_extra
+#define conf_parser_get_extra_ALREADY_DEFINED
+#else
+#define yyget_extra conf_parser_get_extra
+#endif
+
+#ifdef yyset_extra
+#define conf_parser_set_extra_ALREADY_DEFINED
+#else
+#define yyset_extra conf_parser_set_extra
+#endif
+
+#ifdef yyget_in
+#define conf_parser_get_in_ALREADY_DEFINED
+#else
+#define yyget_in conf_parser_get_in
+#endif
+
+#ifdef yyset_in
+#define conf_parser_set_in_ALREADY_DEFINED
+#else
+#define yyset_in conf_parser_set_in
+#endif
+
+#ifdef yyget_out
+#define conf_parser_get_out_ALREADY_DEFINED
+#else
+#define yyget_out conf_parser_get_out
+#endif
+
+#ifdef yyset_out
+#define conf_parser_set_out_ALREADY_DEFINED
+#else
+#define yyset_out conf_parser_set_out
+#endif
+
+#ifdef yyget_leng
+#define conf_parser_get_leng_ALREADY_DEFINED
+#else
+#define yyget_leng conf_parser_get_leng
+#endif
+
+#ifdef yyget_text
+#define conf_parser_get_text_ALREADY_DEFINED
+#else
+#define yyget_text conf_parser_get_text
+#endif
+
+#ifdef yyget_lineno
+#define conf_parser_get_lineno_ALREADY_DEFINED
+#else
+#define yyget_lineno conf_parser_get_lineno
+#endif
+
+#ifdef yyset_lineno
+#define conf_parser_set_lineno_ALREADY_DEFINED
+#else
+#define yyset_lineno conf_parser_set_lineno
+#endif
+
+#ifdef yyget_column
+#define conf_parser_get_column_ALREADY_DEFINED
+#else
+#define yyget_column conf_parser_get_column
+#endif
+
+#ifdef yyset_column
+#define conf_parser_set_column_ALREADY_DEFINED
+#else
+#define yyset_column conf_parser_set_column
+#endif
+
+#ifdef yywrap
+#define conf_parser_wrap_ALREADY_DEFINED
+#else
+#define yywrap conf_parser_wrap
+#endif
+
/* %endif */
+#ifdef yyget_lval
+#define conf_parser_get_lval_ALREADY_DEFINED
+#else
+#define yyget_lval conf_parser_get_lval
+#endif
+
+#ifdef yyset_lval
+#define conf_parser_set_lval_ALREADY_DEFINED
+#else
+#define yyset_lval conf_parser_set_lval
+#endif
+
+#ifdef yyalloc
+#define conf_parser_alloc_ALREADY_DEFINED
+#else
+#define yyalloc conf_parser_alloc
+#endif
+
+#ifdef yyrealloc
+#define conf_parser_realloc_ALREADY_DEFINED
+#else
+#define yyrealloc conf_parser_realloc
+#endif
+
+#ifdef yyfree
+#define conf_parser_free_ALREADY_DEFINED
+#else
+#define yyfree conf_parser_free
+#endif
+
/* %if-c-only */
/* %endif */
@@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t;
#define UINT32_MAX (4294967295U)
#endif
+#ifndef SIZE_MAX
+#define SIZE_MAX (~(size_t)0)
+#endif
+
#endif /* ! C99 */
#endif /* ! FLEXINT_H */
/* %endif */
+/* begin standard C++ headers. */
/* %if-c++-only */
/* %endif */
-#ifdef __cplusplus
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else /* ! __cplusplus */
-
-/* C99 requires __STDC__ to be defined as 1. */
-#if defined (__STDC__)
-
-#define YY_USE_CONST
-
-#endif /* defined (__STDC__) */
-#endif /* ! __cplusplus */
-
-#ifdef YY_USE_CONST
+/* TODO: this is always defined, so inline it */
#define yyconst const
+
+#if defined(__GNUC__) && __GNUC__ >= 3
+#define yynoreturn __attribute__((__noreturn__))
#else
-#define yyconst
+#define yynoreturn
#endif
/* %not-for-header */
-
/* Returned upon end-of-file. */
#define YY_NULL 0
/* %ok-for-header */
/* %not-for-header */
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index. If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
+/* Promotes a possibly negative, possibly signed char to an
+ * integer in range [0..255] for use as an array index.
*/
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
/* %ok-for-header */
/* %if-reentrant */
@@ -183,20 +392,16 @@ typedef void* yyscan_t;
* definition of BEGIN.
*/
#define BEGIN yyg->yy_start = 1 + 2 *
-
/* Translate the current start state into a value that can be later handed
* to BEGIN to return to the state. The YYSTATE alias is for lex
* compatibility.
*/
#define YY_START ((yyg->yy_start - 1) / 2)
#define YYSTATE YY_START
-
/* Action number for EOF rule of a given start state. */
#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE conf_parser_restart(yyin ,yyscanner )
-
+#define YY_NEW_FILE yyrestart( yyin , yyscanner )
#define YY_END_OF_BUFFER_CHAR 0
/* Size of default input buffer. */
@@ -237,10 +442,10 @@ typedef size_t yy_size_t;
#define EOB_ACT_CONTINUE_SCAN 0
#define EOB_ACT_END_OF_FILE 1
#define EOB_ACT_LAST_MATCH 2
-
+
/* Note: We specifically omit the test for yy_rule_can_match_eol because it requires
* access to the local variable yy_act. Since yyless() is a macro, it would break
- * existing scanners that call yyless() from OUTSIDE conf_parser_lex.
+ * existing scanners that call yyless() from OUTSIDE yylex.
* One obvious solution it to make yy_act a global. I tried that, and saw
* a 5% performance hit in a non-yylineno scanner, because yy_act is
* normally declared as a register variable-- so it is not worth it.
@@ -273,7 +478,6 @@ typedef size_t yy_size_t;
YY_DO_BEFORE_ACTION; /* set up yytext again */ \
} \
while ( 0 )
-
#define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner )
#ifndef YY_STRUCT_YY_BUFFER_STATE
@@ -293,7 +497,7 @@ struct yy_buffer_state
/* Size of input buffer in bytes, not including room for EOB
* characters.
*/
- yy_size_t yy_buf_size;
+ int yy_buf_size;
/* Number of characters read into yy_ch_buf, not including EOB
* characters.
@@ -321,7 +525,7 @@ struct yy_buffer_state
int yy_bs_lineno; /**< The line count. */
int yy_bs_column; /**< The column count. */
-
+
/* Whether to try to fill the input buffer when we reach the
* end of it.
*/
@@ -338,7 +542,7 @@ struct yy_buffer_state
* possible backing-up.
*
* When we actually see the EOF, we change the status to "new"
- * (via conf_parser_restart()), so that the user can continue scanning by
+ * (via yyrestart()), so that the user can continue scanning by
* just pointing yyin at a new input file.
*/
#define YY_BUFFER_EOF_PENDING 2
@@ -348,7 +552,6 @@ struct yy_buffer_state
/* %if-c-only Standard (non-C++) definition */
/* %not-for-header */
-
/* %if-not-reentrant */
/* %endif */
/* %ok-for-header */
@@ -364,7 +567,6 @@ struct yy_buffer_state
#define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \
? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \
: NULL)
-
/* Same as previous macro, but useful when we know that the buffer stack is not
* NULL or when we need an lvalue. For internal use only.
*/
@@ -374,57 +576,52 @@ struct yy_buffer_state
/* %if-not-reentrant */
/* %not-for-header */
-
/* %ok-for-header */
/* %endif */
-void conf_parser_restart (FILE *input_file ,yyscan_t yyscanner );
-void conf_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner );
-void conf_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void conf_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner );
-void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner );
-void conf_parser_pop_buffer_state (yyscan_t yyscanner );
-
-static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner );
-static void conf_parser__load_buffer_state (yyscan_t yyscanner );
-static void conf_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner );
+void yyrestart ( FILE *input_file , yyscan_t yyscanner );
+void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner );
+void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner );
+void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner );
+void yypop_buffer_state ( yyscan_t yyscanner );
-#define YY_FLUSH_BUFFER conf_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner)
+static void yyensure_buffer_stack ( yyscan_t yyscanner );
+static void yy_load_buffer_state ( yyscan_t yyscanner );
+static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner );
+#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner)
-YY_BUFFER_STATE conf_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner );
-YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner );
+YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner );
/* %endif */
-void *conf_parser_alloc (yy_size_t ,yyscan_t yyscanner );
-void *conf_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner );
-void conf_parser_free (void * ,yyscan_t yyscanner );
-
-#define yy_new_buffer conf_parser__create_buffer
+void *yyalloc ( yy_size_t , yyscan_t yyscanner );
+void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner );
+void yyfree ( void * , yyscan_t yyscanner );
+#define yy_new_buffer yy_create_buffer
#define yy_set_interactive(is_interactive) \
{ \
if ( ! YY_CURRENT_BUFFER ){ \
- conf_parser_ensure_buffer_stack (yyscanner); \
+ yyensure_buffer_stack (yyscanner); \
YY_CURRENT_BUFFER_LVALUE = \
- conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
} \
YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
}
-
#define yy_set_bol(at_bol) \
{ \
if ( ! YY_CURRENT_BUFFER ){\
- conf_parser_ensure_buffer_stack (yyscanner); \
+ yyensure_buffer_stack (yyscanner); \
YY_CURRENT_BUFFER_LVALUE = \
- conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \
} \
YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
}
-
#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
/* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */
@@ -434,8 +631,7 @@ void conf_parser_free (void * ,yyscan_t yyscanner );
#define YY_SKIP_YYWRAP
#define FLEX_DEBUG
-
-typedef unsigned char YY_CHAR;
+typedef flex_uint8_t YY_CHAR;
typedef int yy_state_type;
@@ -445,13 +641,10 @@ typedef int yy_state_type;
/* %if-c-only Standard (non-C++) definition */
-static yy_state_type yy_get_previous_state (yyscan_t yyscanner );
-static yy_state_type yy_try_NUL_trans (yy_state_type current_state ,yyscan_t yyscanner);
-static int yy_get_next_buffer (yyscan_t yyscanner );
-#if defined(__GNUC__) && __GNUC__ >= 3
-__attribute__((__noreturn__))
-#endif
-static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
+static yy_state_type yy_get_previous_state ( yyscan_t yyscanner );
+static yy_state_type yy_try_NUL_trans ( yy_state_type current_state , yyscan_t yyscanner);
+static int yy_get_next_buffer ( yyscan_t yyscanner );
+static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner );
/* %endif */
@@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
/* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\
- yyleng = (size_t) (yy_cp - yy_bp); \
+ yyleng = (int) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
/* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\
yyg->yy_c_buf_p = yy_cp;
-
/* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
#define YY_NUM_RULES 26
#define YY_END_OF_BUFFER 27
@@ -477,7 +669,7 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
-static yyconst flex_int16_t yy_accept[80] =
+static const flex_int16_t yy_accept[80] =
{ 0,
0, 0, 0, 0, 0, 0, 27, 12, 3, 5,
11, 4, 6, 12, 12, 2, 12, 12, 17, 13,
@@ -489,7 +681,7 @@ static yyconst flex_int16_t yy_accept[80] =
0, 1, 10, 10, 0, 0, 0, 7, 0
} ;
-static yyconst YY_CHAR yy_ec[256] =
+static const YY_CHAR yy_ec[256] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
1, 1, 4, 1, 1, 1, 1, 1, 1, 1,
@@ -521,14 +713,14 @@ static yyconst YY_CHAR yy_ec[256] =
1, 1, 1, 1, 1
} ;
-static yyconst YY_CHAR yy_meta[28] =
+static const YY_CHAR yy_meta[28] =
{ 0,
1, 2, 3, 1, 2, 4, 2, 5, 1, 6,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1
} ;
-static yyconst flex_uint16_t yy_base[91] =
+static const flex_int16_t yy_base[91] =
{ 0,
0, 16, 41, 50, 4, 5, 101, 0, 24, 184,
184, 0, 184, 92, 79, 32, 16, 83, 0, 184,
@@ -541,7 +733,7 @@ static yyconst flex_uint16_t yy_base[91] =
125, 131, 137, 143, 149, 154, 159, 165, 171, 177
} ;
-static yyconst flex_int16_t yy_def[91] =
+static const flex_int16_t yy_def[91] =
{ 0,
80, 80, 81, 81, 82, 82, 79, 83, 79, 79,
79, 84, 79, 83, 83, 79, 83, 83, 85, 79,
@@ -554,7 +746,7 @@ static yyconst flex_int16_t yy_def[91] =
79, 79, 79, 79, 79, 79, 79, 79, 79, 79
} ;
-static yyconst flex_uint16_t yy_nxt[212] =
+static const flex_int16_t yy_nxt[212] =
{ 0,
79, 9, 10, 79, 9, 11, 12, 13, 14, 24,
24, 79, 79, 25, 25, 52, 15, 16, 10, 53,
@@ -582,7 +774,7 @@ static yyconst flex_uint16_t yy_nxt[212] =
79
} ;
-static yyconst flex_int16_t yy_chk[212] =
+static const flex_int16_t yy_chk[212] =
{ 0,
0, 1, 1, 0, 1, 1, 1, 1, 1, 5,
6, 0, 0, 5, 6, 48, 1, 2, 2, 48,
@@ -611,16 +803,16 @@ static yyconst flex_int16_t yy_chk[212] =
} ;
/* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[27] =
+static const flex_int32_t yy_rule_can_match_eol[27] =
{ 0,
0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0,
0, 0, 0, 1, 0, 1, 0, };
-static yyconst flex_int16_t yy_rule_linenum[26] =
+static const flex_int16_t yy_rule_linenum[26] =
{ 0,
- 60, 61, 62, 63, 65, 67, 68, 69, 70, 72,
- 77, 82, 90, 109, 112, 115, 118, 124, 126, 145,
- 146, 147, 148, 149, 150
+ 65, 66, 67, 68, 70, 72, 73, 74, 75, 77,
+ 82, 87, 95, 114, 117, 120, 123, 129, 131, 150,
+ 151, 152, 153, 154, 155
} ;
/* The intent behind this definition is that it'll catch
@@ -656,9 +848,13 @@ bool conf_parser_open_next_file(parser_helper_t *ctx);
static void include_files(parser_helper_t *ctx);
+#line 852 "parser/lexer.c"
/* use start conditions stack */
/* do not declare unneeded functions */
#define YY_NO_INPUT 1
+/* do not include unistd.h as it might conflict with our scanner states */
+#define YY_NO_UNISTD_H 1
+/* due to that disable interactive mode, which requires isatty() */
/* don't use global variables, and interact properly with bison */
/* maintain the line number */
/* don't generate a default rule */
@@ -669,7 +865,7 @@ static void include_files(parser_helper_t *ctx);
/* state used to scan quoted strings */
-#line 673 "parser/lexer.c"
+#line 869 "parser/lexer.c"
#define INITIAL 0
#define inc 1
@@ -706,7 +902,7 @@ struct yyguts_t
YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */
char yy_hold_char;
int yy_n_chars;
- yy_size_t yyleng_r;
+ int yyleng_r;
char *yy_c_buf_p;
int yy_init;
int yy_start;
@@ -730,7 +926,7 @@ struct yyguts_t
/* %if-c-only */
-static int yy_init_globals (yyscan_t yyscanner );
+static int yy_init_globals ( yyscan_t yyscanner );
/* %endif */
@@ -740,9 +936,9 @@ static int yy_init_globals (yyscan_t yyscanner );
* from bison output in section 1.*/
# define yylval yyg->yylval_r
-int conf_parser_lex_init (yyscan_t* scanner);
+int yylex_init (yyscan_t* scanner);
-int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
+int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner);
/* %endif */
@@ -751,41 +947,41 @@ int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner);
/* Accessor methods to globals.
These are made visible to non-reentrant scanners for convenience. */
-int conf_parser_lex_destroy (yyscan_t yyscanner );
+int yylex_destroy ( yyscan_t yyscanner );
-int conf_parser_get_debug (yyscan_t yyscanner );
+int yyget_debug ( yyscan_t yyscanner );
-void conf_parser_set_debug (int debug_flag ,yyscan_t yyscanner );
+void yyset_debug ( int debug_flag , yyscan_t yyscanner );
-YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner );
+YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner );
-void conf_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner );
+void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner );
-FILE *conf_parser_get_in (yyscan_t yyscanner );
+FILE *yyget_in ( yyscan_t yyscanner );
-void conf_parser_set_in (FILE * _in_str ,yyscan_t yyscanner );
+void yyset_in ( FILE * _in_str , yyscan_t yyscanner );
-FILE *conf_parser_get_out (yyscan_t yyscanner );
+FILE *yyget_out ( yyscan_t yyscanner );
-void conf_parser_set_out (FILE * _out_str ,yyscan_t yyscanner );
+void yyset_out ( FILE * _out_str , yyscan_t yyscanner );
-yy_size_t conf_parser_get_leng (yyscan_t yyscanner );
+ int yyget_leng ( yyscan_t yyscanner );
-char *conf_parser_get_text (yyscan_t yyscanner );
+char *yyget_text ( yyscan_t yyscanner );
-int conf_parser_get_lineno (yyscan_t yyscanner );
+int yyget_lineno ( yyscan_t yyscanner );
-void conf_parser_set_lineno (int _line_number ,yyscan_t yyscanner );
+void yyset_lineno ( int _line_number , yyscan_t yyscanner );
-int conf_parser_get_column (yyscan_t yyscanner );
+int yyget_column ( yyscan_t yyscanner );
-void conf_parser_set_column (int _column_no ,yyscan_t yyscanner );
+void yyset_column ( int _column_no , yyscan_t yyscanner );
/* %if-bison-bridge */
-YYSTYPE * conf_parser_get_lval (yyscan_t yyscanner );
+YYSTYPE * yyget_lval ( yyscan_t yyscanner );
-void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
+void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner );
/* %endif */
@@ -795,17 +991,16 @@ void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner );
#ifndef YY_SKIP_YYWRAP
#ifdef __cplusplus
-extern "C" int conf_parser_wrap (yyscan_t yyscanner );
+extern "C" int yywrap ( yyscan_t yyscanner );
#else
-extern int conf_parser_wrap (yyscan_t yyscanner );
+extern int yywrap ( yyscan_t yyscanner );
#endif
#endif
/* %not-for-header */
-
#ifndef YY_NO_UNPUT
- static void yyunput (int c,char *buf_ptr ,yyscan_t yyscanner);
+ static void yyunput ( int c, char *buf_ptr , yyscan_t yyscanner);
#endif
/* %ok-for-header */
@@ -813,21 +1008,20 @@ extern int conf_parser_wrap (yyscan_t yyscanner );
/* %endif */
#ifndef yytext_ptr
-static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner);
+static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner);
#endif
#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner);
+static int yy_flex_strlen ( const char * , yyscan_t yyscanner);
#endif
#ifndef YY_NO_INPUT
/* %if-c-only Standard (non-C++) definition */
/* %not-for-header */
-
#ifdef __cplusplus
-static int yyinput (yyscan_t yyscanner );
+static int yyinput ( yyscan_t yyscanner );
#else
-static int input (yyscan_t yyscanner );
+static int input ( yyscan_t yyscanner );
#endif
/* %ok-for-header */
@@ -836,11 +1030,11 @@ static int input (yyscan_t yyscanner );
/* %if-c-only */
- static void yy_push_state (int _new_state ,yyscan_t yyscanner);
+ static void yy_push_state ( int _new_state , yyscan_t yyscanner);
- static void yy_pop_state (yyscan_t yyscanner );
+ static void yy_pop_state ( yyscan_t yyscanner );
- static int yy_top_state (yyscan_t yyscanner );
+ static int yy_top_state ( yyscan_t yyscanner );
/* %endif */
@@ -860,7 +1054,7 @@ static int input (yyscan_t yyscanner );
/* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite().
*/
-#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
+#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
/* %endif */
/* %if-c++-only C++ definition */
/* %endif */
@@ -875,7 +1069,7 @@ static int input (yyscan_t yyscanner );
if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
{ \
int c = '*'; \
- size_t n; \
+ int n; \
for ( n = 0; n < max_size && \
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
buf[n] = (char) c; \
@@ -888,7 +1082,7 @@ static int input (yyscan_t yyscanner );
else \
{ \
errno=0; \
- while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+ while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
{ \
if( errno != EINTR) \
{ \
@@ -929,11 +1123,9 @@ static int input (yyscan_t yyscanner );
/* %if-tables-serialization structures and prototypes */
/* %not-for-header */
-
/* %ok-for-header */
/* %not-for-header */
-
/* %tables-yydmap generated elements */
/* %endif */
/* end tables serialization structures and prototypes */
@@ -947,10 +1139,10 @@ static int input (yyscan_t yyscanner );
#define YY_DECL_IS_OURS 1
/* %if-c-only Standard (non-C++) definition */
-extern int conf_parser_lex \
- (YYSTYPE * yylval_param ,yyscan_t yyscanner);
+extern int yylex \
+ (YYSTYPE * yylval_param , yyscan_t yyscanner);
-#define YY_DECL int conf_parser_lex \
+#define YY_DECL int yylex \
(YYSTYPE * yylval_param , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only C++ definition */
@@ -977,7 +1169,6 @@ extern int conf_parser_lex \
YY_USER_ACTION
/* %not-for-header */
-
/** The main scanner function which does all the work.
*/
YY_DECL
@@ -1015,20 +1206,20 @@ YY_DECL
/* %endif */
if ( ! YY_CURRENT_BUFFER ) {
- conf_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
YY_CURRENT_BUFFER_LVALUE =
- conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
}
- conf_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
}
{
/* %% [7.0] user's declarations go here */
-#line 58 "parser/lexer.l"
+#line 63 "parser/lexer.l"
-#line 1032 "parser/lexer.c"
+#line 1223 "parser/lexer.c"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{
@@ -1059,22 +1250,18 @@ yy_match:
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 80 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 184 );
+ while ( yy_current_state != 79 );
+ yy_cp = yyg->yy_last_accepting_cpos;
+ yy_current_state = yyg->yy_last_accepting_state;
yy_find_action:
/* %% [10.0] code to find the action number goes here */
yy_act = yy_accept[yy_current_state];
- if ( yy_act == 0 )
- { /* have to back up */
- yy_cp = yyg->yy_last_accepting_cpos;
- yy_current_state = yyg->yy_last_accepting_state;
- yy_act = yy_accept[yy_current_state];
- }
YY_DO_BEFORE_ACTION;
@@ -1082,10 +1269,10 @@ yy_find_action:
if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] )
{
- yy_size_t yyl;
+ int yyl;
for ( yyl = 0; yyl < yyleng; ++yyl )
if ( yytext[yyl] == '\n' )
-
+
do{ yylineno++;
yycolumn=0;
}while(0)
@@ -1126,48 +1313,48 @@ case 1:
yyg->yy_c_buf_p = yy_cp -= 1;
YY_DO_BEFORE_ACTION; /* set up yytext again */
YY_RULE_SETUP
-#line 60 "parser/lexer.l"
+#line 65 "parser/lexer.l"
/* eat legacy version delcaration */
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 61 "parser/lexer.l"
+#line 66 "parser/lexer.l"
return SPACES;
YY_BREAK
case 3:
YY_RULE_SETUP
-#line 62 "parser/lexer.l"
+#line 67 "parser/lexer.l"
/* eat other whitespace */
YY_BREAK
case 4:
YY_RULE_SETUP
-#line 63 "parser/lexer.l"
+#line 68 "parser/lexer.l"
/* eat comments */
YY_BREAK
case 5:
/* rule 5 can match eol */
YY_RULE_SETUP
-#line 65 "parser/lexer.l"
+#line 70 "parser/lexer.l"
return NEWLINE;
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 67 "parser/lexer.l"
+#line 72 "parser/lexer.l"
return EQ;
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 68 "parser/lexer.l"
+#line 73 "parser/lexer.l"
return CONFIG_SETUP;
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 69 "parser/lexer.l"
+#line 74 "parser/lexer.l"
return CONN;
YY_BREAK
case 9:
YY_RULE_SETUP
-#line 70 "parser/lexer.l"
+#line 75 "parser/lexer.l"
return CA;
YY_BREAK
case 10:
@@ -1177,7 +1364,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1);
yyg->yy_c_buf_p = yy_cp -= 1;
YY_DO_BEFORE_ACTION; /* set up yytext again */
YY_RULE_SETUP
-#line 72 "parser/lexer.l"
+#line 77 "parser/lexer.l"
{
yyextra->string_init(yyextra);
yy_push_state(inc, yyscanner);
@@ -1185,7 +1372,7 @@ YY_RULE_SETUP
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 77 "parser/lexer.l"
+#line 82 "parser/lexer.l"
{
yyextra->string_init(yyextra);
yy_push_state(str, yyscanner);
@@ -1193,7 +1380,7 @@ YY_RULE_SETUP
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 82 "parser/lexer.l"
+#line 87 "parser/lexer.l"
{
yylval->s = strdup(yytext);
return STRING;
@@ -1202,11 +1389,11 @@ YY_RULE_SETUP
/* we allow all characters except # and spaces, they can be escaped */
case YY_STATE_EOF(inc):
-#line 89 "parser/lexer.l"
+#line 94 "parser/lexer.l"
case 13:
/* rule 13 can match eol */
YY_RULE_SETUP
-#line 90 "parser/lexer.l"
+#line 95 "parser/lexer.l"
{
if (*yytext)
{
@@ -1229,28 +1416,28 @@ YY_RULE_SETUP
YY_BREAK
case 14:
YY_RULE_SETUP
-#line 109 "parser/lexer.l"
+#line 114 "parser/lexer.l"
{ /* string include */
yy_push_state(str, yyscanner);
}
YY_BREAK
case 15:
YY_RULE_SETUP
-#line 112 "parser/lexer.l"
+#line 117 "parser/lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
YY_BREAK
case 16:
YY_RULE_SETUP
-#line 115 "parser/lexer.l"
+#line 120 "parser/lexer.l"
{
yyextra->string_add(yyextra, yytext+1);
}
YY_BREAK
case 17:
YY_RULE_SETUP
-#line 118 "parser/lexer.l"
+#line 123 "parser/lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
@@ -1258,13 +1445,13 @@ YY_RULE_SETUP
case 18:
-#line 125 "parser/lexer.l"
+#line 130 "parser/lexer.l"
YY_RULE_SETUP
case YY_STATE_EOF(str):
-#line 125 "parser/lexer.l"
+#line 130 "parser/lexer.l"
case 19:
YY_RULE_SETUP
-#line 126 "parser/lexer.l"
+#line 131 "parser/lexer.l"
{
if (!streq(yytext, "\""))
{
@@ -1287,41 +1474,41 @@ YY_RULE_SETUP
YY_BREAK
case 20:
YY_RULE_SETUP
-#line 145 "parser/lexer.l"
+#line 150 "parser/lexer.l"
yyextra->string_add(yyextra, "\n");
YY_BREAK
case 21:
YY_RULE_SETUP
-#line 146 "parser/lexer.l"
+#line 151 "parser/lexer.l"
yyextra->string_add(yyextra, "\r");
YY_BREAK
case 22:
YY_RULE_SETUP
-#line 147 "parser/lexer.l"
+#line 152 "parser/lexer.l"
yyextra->string_add(yyextra, "\t");
YY_BREAK
case 23:
/* rule 23 can match eol */
YY_RULE_SETUP
-#line 148 "parser/lexer.l"
+#line 153 "parser/lexer.l"
/* merge lines that end with EOL characters */
YY_BREAK
case 24:
YY_RULE_SETUP
-#line 149 "parser/lexer.l"
+#line 154 "parser/lexer.l"
yyextra->string_add(yyextra, yytext+1);
YY_BREAK
case 25:
/* rule 25 can match eol */
YY_RULE_SETUP
-#line 150 "parser/lexer.l"
+#line 155 "parser/lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
YY_BREAK
case YY_STATE_EOF(INITIAL):
-#line 155 "parser/lexer.l"
+#line 160 "parser/lexer.l"
{
conf_parser_pop_buffer_state(yyscanner);
if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1332,10 +1519,10 @@ case YY_STATE_EOF(INITIAL):
YY_BREAK
case 26:
YY_RULE_SETUP
-#line 163 "parser/lexer.l"
+#line 168 "parser/lexer.l"
YY_FATAL_ERROR( "flex scanner jammed" );
YY_BREAK
-#line 1339 "parser/lexer.c"
+#line 1526 "parser/lexer.c"
case YY_END_OF_BUFFER:
{
@@ -1351,7 +1538,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
/* We're scanning a new file or input source. It's
* possible that this happened because the user
* just pointed yyin at a new source and called
- * conf_parser_lex(). If so, then we have to assure
+ * yylex(). If so, then we have to assure
* consistency between YY_CURRENT_BUFFER and our
* globals. Here is the right place to do so, because
* this is the first action (other than possibly a
@@ -1405,7 +1592,8 @@ YY_FATAL_ERROR( "flex scanner jammed" );
else
{
/* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */
- yy_cp = yyg->yy_c_buf_p;
+ yy_cp = yyg->yy_last_accepting_cpos;
+ yy_current_state = yyg->yy_last_accepting_state;
goto yy_find_action;
}
}
@@ -1416,7 +1604,7 @@ YY_FATAL_ERROR( "flex scanner jammed" );
{
yyg->yy_did_buffer_switch_on_eof = 0;
- if ( conf_parser_wrap(yyscanner ) )
+ if ( yywrap( yyscanner ) )
{
/* Note: because we've taken care in
* yy_get_next_buffer() to have set up
@@ -1470,12 +1658,11 @@ YY_FATAL_ERROR( "flex scanner jammed" );
} /* end of action switch */
} /* end of scanning one token */
} /* end of user's declarations */
-} /* end of conf_parser_lex */
+} /* end of yylex */
/* %ok-for-header */
/* %if-c++-only */
/* %not-for-header */
-
/* %ok-for-header */
/* %endif */
@@ -1496,7 +1683,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
char *source = yyg->yytext_ptr;
- yy_size_t number_to_move, i;
+ int number_to_move, i;
int ret_val;
if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] )
@@ -1525,7 +1712,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* Try to read more data. */
/* First move last chars to start of buffer. */
- number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1;
+ number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1);
for ( i = 0; i < number_to_move; ++i )
*(dest++) = *(source++);
@@ -1538,7 +1725,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
{
- yy_size_t num_to_read =
+ int num_to_read =
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
while ( num_to_read <= 0 )
@@ -1552,7 +1739,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( b->yy_is_our_buffer )
{
- yy_size_t new_size = b->yy_buf_size * 2;
+ int new_size = b->yy_buf_size * 2;
if ( new_size <= 0 )
b->yy_buf_size += b->yy_buf_size / 8;
@@ -1561,11 +1748,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
b->yy_ch_buf = (char *)
/* Include room in for 2 EOB chars. */
- conf_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner );
+ yyrealloc( (void *) b->yy_ch_buf,
+ (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
}
else
/* Can't grow it, we don't own it. */
- b->yy_ch_buf = 0;
+ b->yy_ch_buf = NULL;
if ( ! b->yy_ch_buf )
YY_FATAL_ERROR(
@@ -1593,7 +1781,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( number_to_move == YY_MORE_ADJ )
{
ret_val = EOB_ACT_END_OF_FILE;
- conf_parser_restart(yyin ,yyscanner);
+ yyrestart( yyin , yyscanner);
}
else
@@ -1607,12 +1795,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
ret_val = EOB_ACT_CONTINUE_SCAN;
- if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
+ if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
/* Extend the array by 50%, plus the number we really need. */
int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1);
- YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) conf_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner );
+ YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
+ (void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner );
if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
+ /* "- 2" to take care of EOB's */
+ YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
}
yyg->yy_n_chars += number_to_move;
@@ -1628,7 +1819,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* %if-c-only */
/* %not-for-header */
-
static yy_state_type yy_get_previous_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
@@ -1655,9 +1845,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 80 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
}
return yy_current_state;
@@ -1689,9 +1879,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 80 )
- yy_c = yy_meta[(unsigned int) yy_c];
+ yy_c = yy_meta[yy_c];
}
- yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+ yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
yy_is_jam = (yy_current_state == 79);
(void)yyg;
@@ -1717,7 +1907,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
{ /* need to shift things up to make room */
/* +2 for EOB chars. */
- yy_size_t number_to_move = yyg->yy_n_chars + 2;
+ int number_to_move = yyg->yy_n_chars + 2;
char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
char *source =
@@ -1729,7 +1919,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
yy_cp += (int) (dest - source);
yy_bp += (int) (dest - source);
YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
- yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+ yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
YY_FATAL_ERROR( "flex scanner push-back overflow" );
@@ -1781,7 +1971,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
else
{ /* need more input */
- yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr;
+ int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr);
++yyg->yy_c_buf_p;
switch ( yy_get_next_buffer( yyscanner ) )
@@ -1798,14 +1988,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
*/
/* Reset buffer status. */
- conf_parser_restart(yyin ,yyscanner);
+ yyrestart( yyin , yyscanner);
/*FALLTHROUGH*/
case EOB_ACT_END_OF_FILE:
{
- if ( conf_parser_wrap(yyscanner ) )
- return EOF;
+ if ( yywrap( yyscanner ) )
+ return 0;
if ( ! yyg->yy_did_buffer_switch_on_eof )
YY_NEW_FILE;
@@ -1830,7 +2020,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* %% [19.0] update BOL and yylineno */
YY_CURRENT_BUFFER_LVALUE->yy_at_bol = (c == '\n');
if ( YY_CURRENT_BUFFER_LVALUE->yy_at_bol )
-
+
do{ yylineno++;
yycolumn=0;
}while(0)
@@ -1848,7 +2038,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
* @note This function does not reset the start condition to @c INITIAL .
*/
/* %if-c-only */
- void conf_parser_restart (FILE * input_file , yyscan_t yyscanner)
+ void yyrestart (FILE * input_file , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -1856,13 +2046,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
if ( ! YY_CURRENT_BUFFER ){
- conf_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
YY_CURRENT_BUFFER_LVALUE =
- conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner);
+ yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner);
}
- conf_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner);
- conf_parser__load_buffer_state(yyscanner );
+ yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner);
+ yy_load_buffer_state( yyscanner );
}
/* %if-c++-only */
@@ -1873,7 +2063,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void conf_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+ void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -1882,10 +2072,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
/* TODO. We should be able to replace this entire function body
* with
- * conf_parser_pop_buffer_state();
- * conf_parser_push_buffer_state(new_buffer);
+ * yypop_buffer_state();
+ * yypush_buffer_state(new_buffer);
*/
- conf_parser_ensure_buffer_stack (yyscanner);
+ yyensure_buffer_stack (yyscanner);
if ( YY_CURRENT_BUFFER == new_buffer )
return;
@@ -1898,18 +2088,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
}
YY_CURRENT_BUFFER_LVALUE = new_buffer;
- conf_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
/* We don't actually know whether we did this switch during
- * EOF (conf_parser_wrap()) processing, but the only time this flag
- * is looked at is after conf_parser_wrap() is called, so it's safe
+ * EOF (yywrap()) processing, but the only time this flag
+ * is looked at is after yywrap() is called, so it's safe
* to go ahead and always set it.
*/
yyg->yy_did_buffer_switch_on_eof = 1;
}
/* %if-c-only */
-static void conf_parser__load_buffer_state (yyscan_t yyscanner)
+static void yy_load_buffer_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -1932,29 +2122,29 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
* @return the allocated buffer state.
*/
/* %if-c-only */
- YY_BUFFER_STATE conf_parser__create_buffer (FILE * file, int size , yyscan_t yyscanner)
+ YY_BUFFER_STATE yy_create_buffer (FILE * file, int size , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
{
YY_BUFFER_STATE b;
- b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+ b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
- b->yy_buf_size = (yy_size_t)size;
+ b->yy_buf_size = size;
/* yy_ch_buf has to be 2 characters longer than the size given because
* we need to put in 2 end-of-buffer characters.
*/
- b->yy_ch_buf = (char *) conf_parser_alloc(b->yy_buf_size + 2 ,yyscanner );
+ b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner );
if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
b->yy_is_our_buffer = 1;
- conf_parser__init_buffer(b,file ,yyscanner);
+ yy_init_buffer( b, file , yyscanner);
return b;
}
@@ -1963,11 +2153,11 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
/* %endif */
/** Destroy the buffer.
- * @param b a buffer created with conf_parser__create_buffer()
+ * @param b a buffer created with yy_create_buffer()
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void conf_parser__delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
+ void yy_delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -1981,17 +2171,17 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
if ( b->yy_is_our_buffer )
- conf_parser_free((void *) b->yy_ch_buf ,yyscanner );
+ yyfree( (void *) b->yy_ch_buf , yyscanner );
- conf_parser_free((void *) b ,yyscanner );
+ yyfree( (void *) b , yyscanner );
}
/* Initializes or reinitializes a buffer.
* This function is sometimes called more than once on the same buffer,
- * such as during a conf_parser_restart() or at EOF.
+ * such as during a yyrestart() or at EOF.
*/
/* %if-c-only */
- static void conf_parser__init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner)
+ static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2000,7 +2190,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
int oerrno = errno;
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
- conf_parser__flush_buffer(b ,yyscanner);
+ yy_flush_buffer( b , yyscanner);
/* %if-c-only */
b->yy_input_file = file;
@@ -2009,8 +2199,8 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
/* %endif */
b->yy_fill_buffer = 1;
- /* If b is the current buffer, then conf_parser__init_buffer was _probably_
- * called from conf_parser_restart() or through yy_get_next_buffer.
+ /* If b is the current buffer, then yy_init_buffer was _probably_
+ * called from yyrestart() or through yy_get_next_buffer.
* In that case, we don't want to reset the lineno or column.
*/
if (b != YY_CURRENT_BUFFER){
@@ -2020,7 +2210,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
/* %if-c-only */
- b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+ b->yy_is_interactive = 0;
/* %endif */
/* %if-c++-only */
@@ -2033,7 +2223,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
- void conf_parser__flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
+ void yy_flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2057,7 +2247,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
b->yy_buffer_status = YY_BUFFER_NEW;
if ( b == YY_CURRENT_BUFFER )
- conf_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
}
/* %if-c-or-c++ */
@@ -2068,7 +2258,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
/* %if-c-only */
-void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2077,9 +2267,9 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
if (new_buffer == NULL)
return;
- conf_parser_ensure_buffer_stack(yyscanner);
+ yyensure_buffer_stack(yyscanner);
- /* This block is copied from conf_parser__switch_to_buffer. */
+ /* This block is copied from yy_switch_to_buffer. */
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
@@ -2093,8 +2283,8 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
yyg->yy_buffer_stack_top++;
YY_CURRENT_BUFFER_LVALUE = new_buffer;
- /* copied from conf_parser__switch_to_buffer. */
- conf_parser__load_buffer_state(yyscanner );
+ /* copied from yy_switch_to_buffer. */
+ yy_load_buffer_state( yyscanner );
yyg->yy_did_buffer_switch_on_eof = 1;
}
/* %endif */
@@ -2105,7 +2295,7 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan
* @param yyscanner The scanner object.
*/
/* %if-c-only */
-void conf_parser_pop_buffer_state (yyscan_t yyscanner)
+void yypop_buffer_state (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2114,13 +2304,13 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner)
if (!YY_CURRENT_BUFFER)
return;
- conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner);
+ yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner);
YY_CURRENT_BUFFER_LVALUE = NULL;
if (yyg->yy_buffer_stack_top > 0)
--yyg->yy_buffer_stack_top;
if (YY_CURRENT_BUFFER) {
- conf_parser__load_buffer_state(yyscanner );
+ yy_load_buffer_state( yyscanner );
yyg->yy_did_buffer_switch_on_eof = 1;
}
}
@@ -2131,7 +2321,7 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner)
* Guarantees space for at least one push.
*/
/* %if-c-only */
-static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
+static void yyensure_buffer_stack (yyscan_t yyscanner)
/* %endif */
/* %if-c++-only */
/* %endif */
@@ -2145,15 +2335,15 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
* scanner will even need a stack. We use 2 instead of 1 to avoid an
* immediate realloc on the next call.
*/
- num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
- yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_alloc
+ num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
+ yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc
(num_to_alloc * sizeof(struct yy_buffer_state*)
, yyscanner);
if ( ! yyg->yy_buffer_stack )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" );
-
+ YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
+
memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-
+
yyg->yy_buffer_stack_max = num_to_alloc;
yyg->yy_buffer_stack_top = 0;
return;
@@ -2165,12 +2355,12 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
yy_size_t grow_size = 8 /* arbitrary grow size */;
num_to_alloc = yyg->yy_buffer_stack_max + grow_size;
- yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_realloc
+ yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc
(yyg->yy_buffer_stack,
num_to_alloc * sizeof(struct yy_buffer_state*)
, yyscanner);
if ( ! yyg->yy_buffer_stack )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
/* zero only the new slots.*/
memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*));
@@ -2184,9 +2374,9 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner)
* @param base the character buffer
* @param size the size in bytes of the character buffer
* @param yyscanner The scanner object.
- * @return the newly allocated buffer state object.
+ * @return the newly allocated buffer state object.
*/
-YY_BUFFER_STATE conf_parser__scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner)
{
YY_BUFFER_STATE b;
@@ -2194,73 +2384,73 @@ YY_BUFFER_STATE conf_parser__scan_buffer (char * base, yy_size_t size , yyscan
base[size-2] != YY_END_OF_BUFFER_CHAR ||
base[size-1] != YY_END_OF_BUFFER_CHAR )
/* They forgot to leave room for the EOB's. */
- return 0;
+ return NULL;
- b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner );
+ b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner );
if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_buffer()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
- b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */
+ b->yy_buf_size = (int) (size - 2); /* "- 2" to take care of EOB's */
b->yy_buf_pos = b->yy_ch_buf = base;
b->yy_is_our_buffer = 0;
- b->yy_input_file = 0;
+ b->yy_input_file = NULL;
b->yy_n_chars = b->yy_buf_size;
b->yy_is_interactive = 0;
b->yy_at_bol = 1;
b->yy_fill_buffer = 0;
b->yy_buffer_status = YY_BUFFER_NEW;
- conf_parser__switch_to_buffer(b ,yyscanner );
+ yy_switch_to_buffer( b , yyscanner );
return b;
}
/* %endif */
/* %if-c-only */
-/** Setup the input buffer state to scan a string. The next call to conf_parser_lex() will
+/** Setup the input buffer state to scan a string. The next call to yylex() will
* scan from a @e copy of @a str.
* @param yystr a NUL-terminated string to scan
* @param yyscanner The scanner object.
* @return the newly allocated buffer state object.
* @note If you want to scan bytes that may contain NUL values, then use
- * conf_parser__scan_bytes() instead.
+ * yy_scan_bytes() instead.
*/
-YY_BUFFER_STATE conf_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner)
{
- return conf_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner);
+ return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner);
}
/* %endif */
/* %if-c-only */
-/** Setup the input buffer state to scan the given bytes. The next call to conf_parser_lex() will
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
* scan from a @e copy of @a bytes.
* @param yybytes the byte buffer to scan
* @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
* @param yyscanner The scanner object.
* @return the newly allocated buffer state object.
*/
-YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yybytes_len , yyscan_t yyscanner)
+YY_BUFFER_STATE yy_scan_bytes (const char * yybytes, int _yybytes_len , yyscan_t yyscanner)
{
YY_BUFFER_STATE b;
char *buf;
yy_size_t n;
- yy_size_t i;
+ int i;
/* Get memory for full buffer, including space for trailing EOB's. */
- n = _yybytes_len + 2;
- buf = (char *) conf_parser_alloc(n ,yyscanner );
+ n = (yy_size_t) (_yybytes_len + 2);
+ buf = (char *) yyalloc( n , yyscanner );
if ( ! buf )
- YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_bytes()" );
+ YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
for ( i = 0; i < _yybytes_len; ++i )
buf[i] = yybytes[i];
buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
- b = conf_parser__scan_buffer(buf,n ,yyscanner);
+ b = yy_scan_buffer( buf, n , yyscanner);
if ( ! b )
- YY_FATAL_ERROR( "bad buffer in conf_parser__scan_bytes()" );
+ YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
/* It's okay to grow etc. this buffer, and we should throw it
* away when we're done.
@@ -2283,13 +2473,14 @@ YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yy
yy_size_t new_size;
yyg->yy_start_stack_depth += YY_START_STACK_INCR;
- new_size = yyg->yy_start_stack_depth * sizeof( int );
+ new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int );
if ( ! yyg->yy_start_stack )
- yyg->yy_start_stack = (int *) conf_parser_alloc(new_size ,yyscanner );
+ yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner );
else
- yyg->yy_start_stack = (int *) conf_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner );
+ yyg->yy_start_stack = (int *) yyrealloc(
+ (void *) yyg->yy_start_stack, new_size , yyscanner );
if ( ! yyg->yy_start_stack )
YY_FATAL_ERROR( "out of memory expanding start-condition stack" );
@@ -2328,11 +2519,11 @@ YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yy
#endif
/* %if-c-only */
-static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
+static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- (void) fprintf( stderr, "%s\n", msg );
+ fprintf( stderr, "%s\n", msg );
exit( YY_EXIT_FAILURE );
}
/* %endif */
@@ -2364,7 +2555,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner)
/** Get the user-defined data for this scanner.
* @param yyscanner The scanner object.
*/
-YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner)
+YY_EXTRA_TYPE yyget_extra (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyextra;
@@ -2375,10 +2566,10 @@ YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner)
/** Get the current line number.
* @param yyscanner The scanner object.
*/
-int conf_parser_get_lineno (yyscan_t yyscanner)
+int yyget_lineno (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-
+
if (! YY_CURRENT_BUFFER)
return 0;
@@ -2388,10 +2579,10 @@ int conf_parser_get_lineno (yyscan_t yyscanner)
/** Get the current column number.
* @param yyscanner The scanner object.
*/
-int conf_parser_get_column (yyscan_t yyscanner)
+int yyget_column (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
-
+
if (! YY_CURRENT_BUFFER)
return 0;
@@ -2401,7 +2592,7 @@ int conf_parser_get_column (yyscan_t yyscanner)
/** Get the input stream.
* @param yyscanner The scanner object.
*/
-FILE *conf_parser_get_in (yyscan_t yyscanner)
+FILE *yyget_in (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyin;
@@ -2410,7 +2601,7 @@ FILE *conf_parser_get_in (yyscan_t yyscanner)
/** Get the output stream.
* @param yyscanner The scanner object.
*/
-FILE *conf_parser_get_out (yyscan_t yyscanner)
+FILE *yyget_out (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyout;
@@ -2419,7 +2610,7 @@ FILE *conf_parser_get_out (yyscan_t yyscanner)
/** Get the length of the current token.
* @param yyscanner The scanner object.
*/
-yy_size_t conf_parser_get_leng (yyscan_t yyscanner)
+int yyget_leng (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yyleng;
@@ -2429,7 +2620,7 @@ yy_size_t conf_parser_get_leng (yyscan_t yyscanner)
* @param yyscanner The scanner object.
*/
-char *conf_parser_get_text (yyscan_t yyscanner)
+char *yyget_text (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yytext;
@@ -2441,7 +2632,7 @@ char *conf_parser_get_text (yyscan_t yyscanner)
* @param user_defined The data to be associated with this scanner.
* @param yyscanner The scanner object.
*/
-void conf_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner)
+void yyset_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyextra = user_defined ;
@@ -2453,13 +2644,13 @@ void conf_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner)
* @param _line_number line number
* @param yyscanner The scanner object.
*/
-void conf_parser_set_lineno (int _line_number , yyscan_t yyscanner)
+void yyset_lineno (int _line_number , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* lineno is only valid if an input buffer exists. */
if (! YY_CURRENT_BUFFER )
- YY_FATAL_ERROR( "conf_parser_set_lineno called with no buffer" );
+ YY_FATAL_ERROR( "yyset_lineno called with no buffer" );
yylineno = _line_number;
}
@@ -2468,13 +2659,13 @@ void conf_parser_set_lineno (int _line_number , yyscan_t yyscanner)
* @param _column_no column number
* @param yyscanner The scanner object.
*/
-void conf_parser_set_column (int _column_no , yyscan_t yyscanner)
+void yyset_column (int _column_no , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* column is only valid if an input buffer exists. */
if (! YY_CURRENT_BUFFER )
- YY_FATAL_ERROR( "conf_parser_set_column called with no buffer" );
+ YY_FATAL_ERROR( "yyset_column called with no buffer" );
yycolumn = _column_no;
}
@@ -2483,27 +2674,27 @@ void conf_parser_set_column (int _column_no , yyscan_t yyscanner)
* input buffer.
* @param _in_str A readable stream.
* @param yyscanner The scanner object.
- * @see conf_parser__switch_to_buffer
+ * @see yy_switch_to_buffer
*/
-void conf_parser_set_in (FILE * _in_str , yyscan_t yyscanner)
+void yyset_in (FILE * _in_str , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyin = _in_str ;
}
-void conf_parser_set_out (FILE * _out_str , yyscan_t yyscanner)
+void yyset_out (FILE * _out_str , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yyout = _out_str ;
}
-int conf_parser_get_debug (yyscan_t yyscanner)
+int yyget_debug (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yy_flex_debug;
}
-void conf_parser_set_debug (int _bdebug , yyscan_t yyscanner)
+void yyset_debug (int _bdebug , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yy_flex_debug = _bdebug ;
@@ -2516,13 +2707,13 @@ void conf_parser_set_debug (int _bdebug , yyscan_t yyscanner)
/* %if-bison-bridge */
-YYSTYPE * conf_parser_get_lval (yyscan_t yyscanner)
+YYSTYPE * yyget_lval (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
return yylval;
}
-void conf_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
+void yyset_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
yylval = yylval_param;
@@ -2532,20 +2723,18 @@ void conf_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner)
/* User-visible API */
-/* conf_parser_lex_init is special because it creates the scanner itself, so it is
+/* yylex_init is special because it creates the scanner itself, so it is
* the ONLY reentrant function that doesn't take the scanner as the last argument.
* That's why we explicitly handle the declaration, instead of using our macros.
*/
-
-int conf_parser_lex_init(yyscan_t* ptr_yy_globals)
-
+int yylex_init(yyscan_t* ptr_yy_globals)
{
if (ptr_yy_globals == NULL){
errno = EINVAL;
return 1;
}
- *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), NULL );
+ *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL );
if (*ptr_yy_globals == NULL){
errno = ENOMEM;
@@ -2558,39 +2747,37 @@ int conf_parser_lex_init(yyscan_t* ptr_yy_globals)
return yy_init_globals ( *ptr_yy_globals );
}
-/* conf_parser_lex_init_extra has the same functionality as conf_parser_lex_init, but follows the
+/* yylex_init_extra has the same functionality as yylex_init, but follows the
* convention of taking the scanner as the last argument. Note however, that
* this is a *pointer* to a scanner, as it will be allocated by this call (and
* is the reason, too, why this function also must handle its own declaration).
- * The user defined value in the first argument will be available to conf_parser_alloc in
+ * The user defined value in the first argument will be available to yyalloc in
* the yyextra field.
*/
-
-int conf_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals )
-
+int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals )
{
struct yyguts_t dummy_yyguts;
- conf_parser_set_extra (yy_user_defined, &dummy_yyguts);
+ yyset_extra (yy_user_defined, &dummy_yyguts);
if (ptr_yy_globals == NULL){
errno = EINVAL;
return 1;
}
-
- *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
-
+
+ *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts );
+
if (*ptr_yy_globals == NULL){
errno = ENOMEM;
return 1;
}
-
+
/* By setting to 0xAA, we expose bugs in
yy_init_globals. Leave at 0x00 for releases. */
memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t));
-
- conf_parser_set_extra (yy_user_defined, *ptr_yy_globals);
-
+
+ yyset_extra (yy_user_defined, *ptr_yy_globals);
+
return yy_init_globals ( *ptr_yy_globals );
}
@@ -2601,13 +2788,13 @@ static int yy_init_globals (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* Initialization is the same as for the non-reentrant scanner.
- * This function is called from conf_parser_lex_destroy(), so don't allocate here.
+ * This function is called from yylex_destroy(), so don't allocate here.
*/
- yyg->yy_buffer_stack = 0;
+ yyg->yy_buffer_stack = NULL;
yyg->yy_buffer_stack_top = 0;
yyg->yy_buffer_stack_max = 0;
- yyg->yy_c_buf_p = (char *) 0;
+ yyg->yy_c_buf_p = NULL;
yyg->yy_init = 0;
yyg->yy_start = 0;
@@ -2620,45 +2807,45 @@ static int yy_init_globals (yyscan_t yyscanner)
yyin = stdin;
yyout = stdout;
#else
- yyin = (FILE *) 0;
- yyout = (FILE *) 0;
+ yyin = NULL;
+ yyout = NULL;
#endif
/* For future reference: Set errno on error, since we are called by
- * conf_parser_lex_init()
+ * yylex_init()
*/
return 0;
}
/* %endif */
/* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */
-/* conf_parser_lex_destroy is for both reentrant and non-reentrant scanners. */
-int conf_parser_lex_destroy (yyscan_t yyscanner)
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy (yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
/* Pop the buffer stack, destroying each element. */
while(YY_CURRENT_BUFFER){
- conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner );
+ yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner );
YY_CURRENT_BUFFER_LVALUE = NULL;
- conf_parser_pop_buffer_state(yyscanner);
+ yypop_buffer_state(yyscanner);
}
/* Destroy the stack itself. */
- conf_parser_free(yyg->yy_buffer_stack ,yyscanner);
+ yyfree(yyg->yy_buffer_stack , yyscanner);
yyg->yy_buffer_stack = NULL;
/* Destroy the start condition stack. */
- conf_parser_free(yyg->yy_start_stack ,yyscanner );
+ yyfree( yyg->yy_start_stack , yyscanner );
yyg->yy_start_stack = NULL;
/* Reset the globals. This is important in a non-reentrant scanner so the next time
- * conf_parser_lex() is called, initialization will occur. */
+ * yylex() is called, initialization will occur. */
yy_init_globals( yyscanner);
/* %if-reentrant */
/* Destroy the main struct (reentrant only). */
- conf_parser_free ( yyscanner , yyscanner );
+ yyfree ( yyscanner , yyscanner );
yyscanner = NULL;
/* %endif */
return 0;
@@ -2670,7 +2857,7 @@ int conf_parser_lex_destroy (yyscan_t yyscanner)
*/
#ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner)
+static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
@@ -2682,7 +2869,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca
#endif
#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
+static int yy_flex_strlen (const char * s , yyscan_t yyscanner)
{
int n;
for ( n = 0; s[n]; ++n )
@@ -2692,14 +2879,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner)
}
#endif
-void *conf_parser_alloc (yy_size_t size , yyscan_t yyscanner)
+void *yyalloc (yy_size_t size , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- return (void *) malloc( size );
+ return malloc(size);
}
-void *conf_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner)
+void *yyrealloc (void * ptr, yy_size_t size , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
@@ -2711,14 +2898,14 @@ void *conf_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner)
* any pointer type to void*, and deal with argument conversions
* as though doing an assignment.
*/
- return (void *) realloc( (char *) ptr, size );
+ return realloc(ptr, size);
}
-void conf_parser_free (void * ptr , yyscan_t yyscanner)
+void yyfree (void * ptr , yyscan_t yyscanner)
{
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner;
(void)yyg;
- free( (char *) ptr ); /* see conf_parser_realloc() for (char *) cast */
+ free( (char *) ptr ); /* see yyrealloc() for (char *) cast */
}
/* %if-tables-serialization definitions */
@@ -2728,8 +2915,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner)
/* %ok-for-header */
-#line 163 "parser/lexer.l"
-
+#line 168 "parser/lexer.l"
/**
diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l
index fb23a0f93..b81d6ce74 100644
--- a/src/starter/parser/lexer.l
+++ b/src/starter/parser/lexer.l
@@ -33,6 +33,11 @@ static void include_files(parser_helper_t *ctx);
/* do not declare unneeded functions */
%option noinput noyywrap
+/* do not include unistd.h as it might conflict with our scanner states */
+%option nounistd
+/* due to that disable interactive mode, which requires isatty() */
+%option never-interactive
+
/* don't use global variables, and interact properly with bison */
%option reentrant bison-bridge
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 17a3663fe..33d735164 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -1,4 +1,4 @@
-/* C code produced by gperf version 3.0.4 */
+/* ANSI-C code produced by gperf version 3.1 */
/* Command-line: /usr/bin/gperf -m 10 -D -C -G -t */
/* Computed positions: -k'1,5,7' */
@@ -26,7 +26,7 @@
&& ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
&& ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
/* The character set is not based on ISO-646. */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gperf@gnu.org>."
#endif
@@ -69,9 +69,7 @@ inline
#endif
#endif
static unsigned int
-hash (str, len)
- register const char *str;
- register unsigned int len;
+hash (register const char *str, register size_t len)
{
static const unsigned char asso_values[] =
{
@@ -102,7 +100,7 @@ hash (str, len)
60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
60, 60, 60, 60, 60, 60
};
- register int hval = len;
+ register unsigned int hval = len;
switch (hval)
{
@@ -175,7 +173,7 @@ static const struct stroke_token wordlist[] =
{"resetcounters", STROKE_COUNTERS_RESET}
};
-static const short lookup[] =
+static const signed char lookup[] =
{
-1, -1, -1, 0, 1, 2, -1, 3, -1, 4, -1, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
@@ -184,22 +182,14 @@ static const short lookup[] =
-1, 46, -1, 47
};
-#ifdef __GNUC__
-__inline
-#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
const struct stroke_token *
-in_word_set (str, len)
- register const char *str;
- register unsigned int len;
+in_word_set (register const char *str, register size_t len)
{
if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
{
- register int key = hash (str, len);
+ register unsigned int key = hash (str, len);
- if (key <= MAX_HASH_VALUE && key >= 0)
+ if (key <= MAX_HASH_VALUE)
{
register int index = lookup[key];
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 4e0b66b3d..fa86ccb47 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -74,6 +74,6 @@ typedef enum {
typedef struct stroke_token stroke_token_t;
extern const stroke_token_t* in_word_set(register const char *str,
- register unsigned len);
+ register size_t len);
#endif /* _STROKE_KEYWORDS_H_ */
diff --git a/src/sw-collector/sw-collector.c b/src/sw-collector/sw-collector.c
index f8229a192..5453eeb60 100644
--- a/src/sw-collector/sw-collector.c
+++ b/src/sw-collector/sw-collector.c
@@ -27,7 +27,7 @@
#include "sw_collector_history.h"
#include "sw_collector_rest_api.h"
#include "sw_collector_dpkg.h"
-#
+
#include <library.h>
#include <utils/debug.h>
#include <utils/lexparser.h>
@@ -165,7 +165,6 @@ static collector_op_t do_args(int argc, char *argv[], bool *full_tags,
case 'h':
usage();
exit(SUCCESS);
- break;
case 'C':
op = COLLECTOR_OP_CHECK;
continue;
diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c
index 26f043a6a..d0032467a 100644
--- a/src/swanctl/commands/load_all.c
+++ b/src/swanctl/commands/load_all.c
@@ -31,7 +31,7 @@ static int load_all(vici_conn_t *conn)
bool clear = FALSE, noprompt = FALSE;
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg, *file = SWANCTL_CONF;
+ char *arg, *file = NULL;
int ret = 0;
while (TRUE)
@@ -63,10 +63,9 @@ static int load_all(vici_conn_t *conn)
break;
}
- cfg = settings_create(file);
+ cfg = load_swanctl_conf(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 61682a386..a4e1f46d3 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -55,8 +55,9 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value)
else
{
path = buf;
- snprintf(path, PATH_MAX, "%s%s%s",
- SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value);
+ snprintf(path, PATH_MAX, "%s%s%s%s%s", swanctl_dir,
+ DIRECTORY_SEPARATOR, SWANCTL_X509CADIR,
+ DIRECTORY_SEPARATOR, value);
}
map = chunk_map(path, FALSE);
@@ -83,7 +84,6 @@ static bool add_key_values(vici_req_t *req, enumerator_t *enumerator)
char *key, *value;
bool ret = TRUE;
-
while (enumerator->enumerate(enumerator, &key, &value))
{
if (streq(key, "cacert"))
@@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg, *file = SWANCTL_CONF;
+ char *arg, *file = NULL;
int ret;
while (TRUE)
@@ -336,10 +336,9 @@ static int load_authorities(vici_conn_t *conn)
break;
}
- cfg = settings_create(file);
+ cfg = load_swanctl_conf(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index dad03945d..de23816fb 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -120,20 +120,23 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value)
{
if (streq(key, "certs"))
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
+ snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+ DIRECTORY_SEPARATOR, SWANCTL_X509DIR,
+ DIRECTORY_SEPARATOR, token);
token = buf;
}
else if (streq(key, "cacerts"))
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
+ snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+ DIRECTORY_SEPARATOR, SWANCTL_X509CADIR,
+ DIRECTORY_SEPARATOR, token);
token = buf;
}
else if (streq(key, "pubkeys"))
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+ snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir,
+ DIRECTORY_SEPARATOR, SWANCTL_PUBKEYDIR,
+ DIRECTORY_SEPARATOR, token);
token = buf;
}
}
@@ -425,7 +428,7 @@ static int load_conns(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg, *file = SWANCTL_CONF;
+ char *arg, *file = NULL;
int ret;
while (TRUE)
@@ -451,10 +454,9 @@ static int load_conns(vici_conn_t *conn)
break;
}
- cfg = settings_create(file);
+ cfg = load_swanctl_conf(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index a9e352f7e..9a38b5d1e 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -106,10 +106,13 @@ static void load_certs(load_ctx_t *ctx, char *type_str, char *dir)
x509_flag_t flag;
struct stat st;
chunk_t *map;
- char *path;
+ char *path, buf[PATH_MAX];
vici_cert_info_from_str(type_str, &type, &flag);
+ snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+ dir = buf;
+
enumerator = enumerator_create_directory(dir);
if (enumerator)
{
@@ -428,7 +431,10 @@ static void load_keys(load_ctx_t *ctx, char *type, char *dir)
enumerator_t *enumerator;
struct stat st;
chunk_t *map;
- char *path, *rel;
+ char *path, *rel, buf[PATH_MAX];
+
+ snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+ dir = buf;
enumerator = enumerator_create_directory(dir);
if (enumerator)
@@ -535,7 +541,10 @@ static void load_containers(load_ctx_t *ctx, char *type, char *dir)
enumerator_t *enumerator;
struct stat st;
chunk_t *map;
- char *path, *rel;
+ char *path, *rel, buf[PATH_MAX];
+
+ snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir);
+ dir = buf;
enumerator = enumerator_create_directory(dir);
if (enumerator)
@@ -946,7 +955,7 @@ static int load_creds(vici_conn_t *conn)
bool clear = FALSE, noprompt = FALSE;
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg, *file = SWANCTL_CONF;
+ char *arg, *file = NULL;
int ret;
while (TRUE)
@@ -978,10 +987,9 @@ static int load_creds(vici_conn_t *conn)
break;
}
- cfg = settings_create(file);
+ cfg = load_swanctl_conf(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index ec9508efb..0ff6827e1 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg, *file = SWANCTL_CONF;
+ char *arg, *file = NULL;
int ret;
while (TRUE)
@@ -277,10 +277,9 @@ static int load_pools(vici_conn_t *conn)
break;
}
- cfg = settings_create(file);
+ cfg = load_swanctl_conf(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c
index f44ecaa3c..65a402029 100644
--- a/src/swanctl/commands/rekey.c
+++ b/src/swanctl/commands/rekey.c
@@ -118,7 +118,7 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
rekey, 'R', "rekey", "rekey an SA",
- {"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
+ {"--child <name> | --ike <name> | --child-id <id> | --ike-id <id>",
"[--reauth] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
index bce404a54..2309843b2 100644
--- a/src/swanctl/commands/terminate.c
+++ b/src/swanctl/commands/terminate.c
@@ -150,7 +150,7 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
terminate, 't', "terminate", "terminate a connection",
- {"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
+ {"--child <name> | --ike <name> | --child-id <id> | --ike-id <id>",
"[--timeout <s>] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/swanctl/swanctl.c b/src/swanctl/swanctl.c
index dc5af79a7..cfc82f9d7 100644
--- a/src/swanctl/swanctl.c
+++ b/src/swanctl/swanctl.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
@@ -13,17 +16,55 @@
* for more details.
*/
+#include "swanctl.h"
#include "command.h"
#include <unistd.h>
#include <library.h>
+/*
+ * Described in header
+ */
+char *swanctl_dir;
+
+/*
+ * Described in header
+ */
+settings_t *load_swanctl_conf(char *file)
+{
+ settings_t *cfg;
+ char buf[PATH_MAX];
+
+ if (!file)
+ {
+ if (!strlen(swanctl_dir))
+ {
+ free(swanctl_dir);
+ swanctl_dir = strdup(getcwd(buf, sizeof(buf)));
+ }
+ file = buf;
+ snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir,
+ DIRECTORY_SEPARATOR, SWANCTL_CONF);
+ }
+
+ cfg = settings_create(file);
+ if (!cfg)
+ {
+ fprintf(stderr, "parsing '%s' failed\n", file);
+ return NULL;
+ }
+ free(swanctl_dir);
+ swanctl_dir = path_dirname(file);
+ return cfg;
+}
+
/**
* Cleanup library atexit()
*/
static void cleanup()
{
+ free(swanctl_dir);
lib->processor->cancel(lib->processor);
library_deinit();
}
@@ -49,6 +90,9 @@ int main(int argc, char *argv[])
{
exit(SS_RC_INITIALIZATION_FAILED);
}
+
+ swanctl_dir = strdup(getenv("SWANCTL_DIR") ?: SWANCTLDIR);
+
dbg_default_set_level(0);
lib->processor->set_threads(lib->processor, 4);
dbg_default_set_level(1);
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index eac1fc6d0..f0c334f7e 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -1,11 +1,11 @@
/*
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2018 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
@@ -25,74 +25,90 @@
#ifndef SWANCTL_H_
#define SWANCTL_H_
+#include <settings/settings.h>
+
+/**
+ * Base directory for credentials and config
+ */
+char *swanctl_dir;
+
/**
* Configuration file for connections, etc.
*/
-#define SWANCTL_CONF SWANCTLDIR "/swanctl.conf"
+#define SWANCTL_CONF "swanctl.conf"
/**
* Directory for X.509 end entity certs
*/
-#define SWANCTL_X509DIR SWANCTLDIR "/x509"
+#define SWANCTL_X509DIR "x509"
/**
* Directory for X.509 CA certs
*/
-#define SWANCTL_X509CADIR SWANCTLDIR "/x509ca"
+#define SWANCTL_X509CADIR "x509ca"
/**
* Directory for X.509 Attribute Authority certs
*/
-#define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
+#define SWANCTL_X509AADIR "x509aa"
/**
* Directory for X.509 OCSP Signer certs
*/
-#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+#define SWANCTL_X509OCSPDIR "x509ocsp"
/**
* Directory for X.509 CRLs
*/
-#define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl"
+#define SWANCTL_X509CRLDIR "x509crl"
/**
* Directory for X.509 Attribute certificates
*/
-#define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
+#define SWANCTL_X509ACDIR "x509ac"
/**
* Directory for raw public keys
*/
-#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+#define SWANCTL_PUBKEYDIR "pubkey"
/**
* Directory for private keys
*/
-#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+#define SWANCTL_PRIVATEDIR "private"
/**
* Directory for RSA private keys
*/
-#define SWANCTL_RSADIR SWANCTLDIR "/rsa"
+#define SWANCTL_RSADIR "rsa"
/**
* Directory for ECDSA private keys
*/
-#define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
+#define SWANCTL_ECDSADIR "ecdsa"
/**
* Directory for BLISS private keys
*/
-#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+#define SWANCTL_BLISSDIR "bliss"
/**
* Directory for PKCS#8 encoded private keys
*/
-#define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
+#define SWANCTL_PKCS8DIR "pkcs8"
/**
* Directory for PKCS#12 containers
*/
-#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12"
+#define SWANCTL_PKCS12DIR "pkcs12"
+
+/**
+ * Load swanctl.conf, optionally from a custom path. Sets the base dir relative
+ * to that file.
+ *
+ * @param file optional custom path to swanctl.conf, NULL to use default
+ * @return settings, or NULL if loading failed
+ */
+settings_t *load_swanctl_conf(char *file);
#endif /** SWANCTL_H_ @}*/
diff --git a/testing/config/kernel/config-4.19 b/testing/config/kernel/config-4.19
new file mode 100644
index 000000000..79cf9e71e
--- /dev/null
+++ b/testing/config/kernel/config-4.19
@@ -0,0 +1,2690 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.19.0 Kernel Configuration
+#
+
+#
+# Compiler: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
+#
+CONFIG_CC_IS_GCC=y
+CONFIG_GCC_VERSION=70300
+CONFIG_CLANG_VERSION=0
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_BUILD_SALT=""
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
+CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+CONFIG_TINY_SRCU=y
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+CONFIG_FHANDLE=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_FUTEX_PI=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_MEMBARRIER=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+# CONFIG_BPF_SYSCALL is not set
+# CONFIG_USERFAULTFD is not set
+CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
+CONFIG_RSEQ=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_PROFILING is not set
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_FILTER_PGPROT=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_RETPOLINE=y
+# CONFIG_INTEL_RDT is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_NR_CPUS_RANGE_BEGIN=1
+CONFIG_NR_CPUS_RANGE_END=1
+CONFIG_NR_CPUS_DEFAULT=1
+CONFIG_NR_CPUS=1
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+# CONFIG_X86_5LEVEL is not set
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+# CONFIG_AMD_MEM_ENCRYPT is not set
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_X86_INTEL_UMIP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_HAS_ADD_PAGES=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ARCH_SUPPORTS_ACPI=y
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SPCR_TABLE=y
+CONFIG_ACPI_LPIT=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_TAD is not set
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_PCI_LOCKLESS_CONFIG=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI controller drivers
+#
+
+#
+# Cadence PCIe controllers support
+#
+# CONFIG_VMD is not set
+
+#
+# DesignWare PCI Core Support
+#
+# CONFIG_PCIE_DW_PLAT_HOST is not set
+
+#
+# PCI Endpoint
+#
+# CONFIG_PCI_ENDPOINT is not set
+
+#
+# PCI switch controller drivers
+#
+# CONFIG_PCI_SW_SWITCHTEC is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Binary Emulations
+#
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_HAVE_GENERIC_GUP=y
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# Tegra firmware driver
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+
+#
+# General architecture-dependent options
+#
+CONFIG_CRASH_CORE=y
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
+CONFIG_ARCH_HAS_SET_MEMORY=y
+CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_RSEQ=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_STACKPROTECTOR=y
+CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+CONFIG_HAVE_RELIABLE_STACKTRACE=y
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_VMAP_STACK=y
+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
+CONFIG_ARCH_HAS_REFCOUNT=y
+# CONFIG_REFCOUNT_FULL is not set
+CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+CONFIG_PLUGIN_HOSTCC=""
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_ZONED is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+# CONFIG_BLK_WBT is not set
+# CONFIG_BLK_CGROUP_IOLATENCY is not set
+# CONFIG_BLK_SED_OPAL is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_BLK_MQ_PCI=y
+CONFIG_BLK_MQ_VIRTIO=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_MQ_IOSCHED_DEADLINE=y
+CONFIG_MQ_IOSCHED_KYBER=y
+# CONFIG_IOSCHED_BFQ is not set
+CONFIG_ASN1=y
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
+CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
+CONFIG_FREEZER=y
+
+#
+# Executable file formats
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+
+#
+# Memory Management options
+#
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_ARCH_WANTS_THP_SWAP=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ARCH_HAS_ZONE_DEVICE=y
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_PERCPU_STATS is not set
+# CONFIG_GUP_BENCHMARK is not set
+CONFIG_ARCH_HAS_PTE_SPECIAL=y
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_TLS=y
+# CONFIG_TLS_DEVICE is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+# CONFIG_XFRM_INTERFACE is not set
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+CONFIG_NET_IPGRE_DEMUX=y
+CONFIG_NET_IP_TUNNEL=y
+CONFIG_NET_IPGRE=y
+# CONFIG_SYN_COOKIES is not set
+CONFIG_NET_IPVTI=y
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_NET_FOU_IP_TUNNELS is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+# CONFIG_INET_ESP_OFFLOAD is not set
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_RAW_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+# CONFIG_INET6_ESP_OFFLOAD is not set
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+CONFIG_IPV6_VTI=y
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_IPV6_SEG6_LWTUNNEL is not set
+# CONFIG_IPV6_SEG6_HMAC is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_FAMILY_ARP=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+# CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CONNTRACK_LABELS is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_IPMAC is not set
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+# CONFIG_NF_SOCKET_IPV4 is not set
+# CONFIG_NF_TPROXY_IPV4 is not set
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+# CONFIG_NF_SOCKET_IPV6 is not set
+# CONFIG_NF_TPROXY_IPV6 is not set
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+# CONFIG_IP6_NF_MATCH_SRH is not set
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_IP6_NF_NAT=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+CONFIG_NF_DEFRAG_IPV6=y
+# CONFIG_BPFILTER is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+CONFIG_DNS_RESOLVER=y
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_NET_NSH is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+CONFIG_STREAM_PARSER=y
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_PSAMPLE is not set
+# CONFIG_NET_IFE is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+CONFIG_GRO_CELLS=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_FAILOVER=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+
+#
+# Firmware loader
+#
+CONFIG_FW_LOADER=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_GNSS is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_VIRTIO_BLK_SCSI is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# NVME Support
+#
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_NVME_FC is not set
+
+#
+# Misc devices
+#
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_PCI_ENDPOINT_TEST is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module (requires I2C)
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC & related support
+#
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_MISC_RTSX_PCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_TARGET_CORE is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALACRITECH=y
+# CONFIG_SLICOSS is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_AMD_XGBE is not set
+CONFIG_NET_VENDOR_AQUANTIA=y
+# CONFIG_AQTION is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_SYSTEMPORT is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_THUNDER_NIC_RGX is not set
+CONFIG_CAVIUM_PTP=y
+# CONFIG_LIQUIDIO is not set
+# CONFIG_LIQUIDIO_VF is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+CONFIG_NET_VENDOR_CORTINA=y
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_HUAWEI=y
+# CONFIG_HINIC is not set
+CONFIG_NET_VENDOR_I825XX=y
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_ICE is not set
+# CONFIG_FM10K is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+# CONFIG_MLXFW is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MICROSEMI=y
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETERION=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP is not set
+CONFIG_NET_VENDOR_NI=y
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+# CONFIG_QCOM_EMAC is not set
+# CONFIG_RMNET is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SOLARFLARE=y
+# CONFIG_SFC is not set
+# CONFIG_SFC_FALCON is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_SOCIONEXT=y
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+# CONFIG_DWC_XLGMAC is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_MDIO_DEVICE is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+CONFIG_WLAN_VENDOR_QUANTENNA=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+CONFIG_NET_FAILOVER=y
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_SAMSUNG is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_SERIAL_DEV_BUS is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+# CONFIG_RANDOM_TRUST_CPU is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+# CONFIG_PPS is not set
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PINCTRL is not set
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_ASPEED is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NPCM7XX is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+# CONFIG_THERMAL_STATISTICS is not set
+CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_MFD_MADERA is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+CONFIG_RC_CORE=y
+CONFIG_RC_MAP=y
+# CONFIG_LIRC is not set
+CONFIG_RC_DECODERS=y
+CONFIG_IR_NEC_DECODER=y
+CONFIG_IR_RC5_DECODER=y
+CONFIG_IR_RC6_DECODER=y
+CONFIG_IR_JVC_DECODER=y
+CONFIG_IR_SONY_DECODER=y
+CONFIG_IR_SANYO_DECODER=y
+CONFIG_IR_SHARP_DECODER=y
+CONFIG_IR_MCE_KBD_DECODER=y
+CONFIG_IR_XMP_DECODER=y
+# CONFIG_IR_IMON_DECODER is not set
+# CONFIG_RC_DEVICES is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_DRM_DP_CEC is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# AMD Library routines
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SND is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_COUGAR is not set
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+CONFIG_HID_ITE=y
+# CONFIG_HID_JABRA is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MAYFLASH is not set
+CONFIG_HID_REDRAGON=y
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_NTI is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEAM is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_UDRAW_PS3 is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# Intel ISH HID support
+#
+# CONFIG_INTEL_ISH_HID is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+CONFIG_USB_PCI=y
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_TYPEC is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACER_WIRELESS is not set
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMBIOS is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_GPD_POCKET_FAN is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+CONFIG_PMC_ATOM=y
+# CONFIG_CHROME_PLATFORMS is not set
+# CONFIG_MELLANOX_PLATFORM is not set
+CONFIG_CLKDEV_LOOKUP=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_COMMON_CLK=y
+
+#
+# Common Clock Framework
+#
+# CONFIG_HWSPINLOCK is not set
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_REMOTEPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_RPMSG_VIRTIO is not set
+# CONFIG_SOUNDWIRE is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Amlogic SoC drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+
+#
+# NXP/Freescale QorIQ SoC drivers
+#
+
+#
+# i.MX SoC drivers
+#
+
+#
+# Qualcomm SoC drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Xilinx SoC drivers
+#
+# CONFIG_XILINX_VCU is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# IRQ chip support
+#
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_DAX is not set
+# CONFIG_NVMEM is not set
+
+#
+# HW tracing support
+#
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+# CONFIG_FPGA is not set
+# CONFIG_UNISYS_VISORBUS is not set
+# CONFIG_SIOX is not set
+# CONFIG_SLIMBUS is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_FS_IOMAP=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_AUTOFS_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+CONFIG_MEMFD_CREATE=y
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_ECRYPT_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Security options
+#
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+# CONFIG_ENCRYPTED_KEYS is not set
+# CONFIG_KEY_DH_OPERATIONS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+# CONFIG_HARDENED_USERCOPY is not set
+# CONFIG_FORTIFY_SOURCE is not set
+# CONFIG_STATIC_USERMODEHELPER is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_SIMD=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+# CONFIG_CRYPTO_AEGIS128 is not set
+# CONFIG_CRYPTO_AEGIS128L is not set
+# CONFIG_CRYPTO_AEGIS256 is not set
+# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_AEGIS256_AESNI_SSE2 is not set
+# CONFIG_CRYPTO_MORUS640 is not set
+# CONFIG_CRYPTO_MORUS640_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280 is not set
+# CONFIG_CRYPTO_MORUS1280_SSE2 is not set
+# CONFIG_CRYPTO_MORUS1280_AVX2 is not set
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+# CONFIG_CRYPTO_CFB is not set
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_SM3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_TI is not set
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_SM4=y
+# CONFIG_CRYPTO_SPECK is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+# CONFIG_CRYPTO_ZSTD is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+CONFIG_CRYPTO_HASH_INFO=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+
+#
+# Certificates for signature checking
+#
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_RATIONAL=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+# CONFIG_CRC64 is not set
+# CONFIG_CRC4 is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DMA_DIRECT_OPS=y
+CONFIG_SWIOTLB=y
+CONFIG_SGL_ALLOC=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
+CONFIG_SBITMAP=y
+# CONFIG_STRING_SELFTEST is not set
+
+#
+# Kernel hacking
+#
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
+CONFIG_CONSOLE_LOGLEVEL_QUIET=4
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_STACK_VALIDATION=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+CONFIG_CC_HAS_SANCOV_TRACE_PC=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_SOFTLOCKUP_DETECTOR is not set
+CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+CONFIG_LOCK_DEBUGGING_SUPPORT=y
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_WW_MUTEX_SELFTEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_PREEMPTIRQ_EVENTS is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_HWLAT_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+CONFIG_RUNTIME_TESTING_MENU=y
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_TEST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_BITFIELD is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_OVERFLOW is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_TEST_IDA is not set
+# CONFIG_FIND_BIT_BENCHMARK is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_SYSCTL is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_EARLY_PRINTK_USB_XDBC is not set
+# CONFIG_X86_PTDUMP is not set
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+CONFIG_UNWINDER_ORC=y
+# CONFIG_UNWINDER_FRAME_POINTER is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
index 0bf1eb596..c8ff289db 100644
--- a/testing/config/kvm/alice.xml
+++ b/testing/config/kvm/alice.xml
@@ -1,13 +1,13 @@
<domain type='kvm'>
<name>alice</name>
<uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
- <memory unit='KiB'>131072</memory>
- <currentMemory unit='KiB'>131072</currentMemory>
+ <memory unit='KiB'>163840</memory>
+ <currentMemory unit='KiB'>163840</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
index f2425b222..0b433a437 100644
--- a/testing/config/kvm/bob.xml
+++ b/testing/config/kvm/bob.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
index 51a7d8336..3eb163f6c 100644
--- a/testing/config/kvm/carol.xml
+++ b/testing/config/kvm/carol.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
index 9e26b9629..d8d05a9e9 100644
--- a/testing/config/kvm/dave.xml
+++ b/testing/config/kvm/dave.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
index 954af7aa1..943ab35b5 100644
--- a/testing/config/kvm/moon.xml
+++ b/testing/config/kvm/moon.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<cpu>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
index c2d26737c..893a4aa37 100644
--- a/testing/config/kvm/sun.xml
+++ b/testing/config/kvm/sun.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<cpu>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
index acc0d361a..a0b60171b 100644
--- a/testing/config/kvm/venus.xml
+++ b/testing/config/kvm/venus.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
index b21cb7b08..59d7184f6 100644
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@@ -7,7 +7,7 @@
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/var/run/kvm-swan-kernel</kernel>
- <cmdline>root=/dev/vda1 loglevel=1 console=hvc0</cmdline>
+ <cmdline>root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0</cmdline>
<boot dev='hd'/>
</os>
<features>
diff --git a/testing/do-tests b/testing/do-tests
index 52d0d70eb..fad3af8cd 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -51,11 +51,15 @@ subdir_cnt="0"
##############################################################################
# parse optional arguments
#
-while getopts "v" opt
+while getopts "vt" opt
do
case "$opt" in
v)
verbose=YES
+ timestamps=YES
+ ;;
+ t)
+ timestamps=YES
;;
esac
done
@@ -64,7 +68,7 @@ shift $((OPTIND-1))
function print_time()
{
- [ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ "
+ [ "$timestamps" == "YES" ] && echo "$(date +%T.%N) ~ "
}
##############################################################################
@@ -689,21 +693,25 @@ do
do
eval HOSTLOGIN=root@\$ipv4_${host}
- for file in clients.conf eap.conf radiusd.conf proxy.conf users
+ RADIUS_DIR=/etc/freeradius/3.0
+ RADIUS_EAP_FILE=mods-enabled/eap
+ RADIUS_EAP_NAME=eap
+ if [ "$BASEIMGSUITE" == "jessie" ]
+ then
+ RADIUS_DIR=/etc/freeradius
+ RADIUS_EAP_FILE=eap.conf
+ RADIUS_EAP_NAME=eap.conf
+ fi
+
+ for file in clients.conf radiusd.conf proxy.conf users sites-enabled/default sites-enabled/inner-tunnel $RADIUS_EAP_FILE
do
- scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
- $TESTRESULTDIR/${host}.$file > /dev/null 2>&1
+ scp $SSHCONF $HOSTLOGIN:$RADIUS_DIR/$file \
+ $TESTRESULTDIR/${host}.$(basename $file) > /dev/null 2>&1
done
- scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
- $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1
-
scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
$TESTRESULTDIR/${host}.radius.log > /dev/null 2>&1
- ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
- >> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null
-
chmod a+r $TESTRESULTDIR/*
cat >> $TESTRESULTDIR/index.html <<@EOF
<h3>$host</h3>
@@ -713,14 +721,14 @@ do
<ul>
<li><a href="$host.clients.conf">clients.conf</a></li>
<li><a href="$host.radiusd.conf">radiusd.conf</a></li>
- <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+ <li><a href="$host.$RADIUS_EAP_NAME">$RADIUS_EAP_NAME</a></li>
</ul>
</td>
<td valign="top">
<ul>
- <li><a href="$host.eap.conf">eap.conf</a></li>
+ <li><a href="$host.default">sites-enabled/default</a></li>
+ <li><a href="$host.inner-tunnel">sites-enabled/inner-tunnel</a></li>
<li><a href="$host.radius.log">radius.log</a></li>
- <li><a href="$host.daemon.log">daemon.log</a></li>
</ul>
</td>
<td valign="top">
diff --git a/testing/hosts/alice/etc/freeradius/3.0/clients.conf b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
new file mode 100644
index 000000000..7fad83c33
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/clients.conf
@@ -0,0 +1,5 @@
+client moon {
+ ipaddr = 10.1.0.1
+ secret = gv6URkSs
+ require_message_authenticator = yes
+}
diff --git a/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
new file mode 100644
index 000000000..6139bb90f
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf
@@ -0,0 +1,99 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius/3.0
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = freeradius
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${sysconfdir}/raddb/certs
+cadir = ${sysconfdir}/raddb/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# correct_escapes: use correct backslash escaping
+correct_escapes = true
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Logging section
+log {
+ destination = files
+ colourise = yes
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+security {
+ user = freerad
+ group = freerad
+ allow_core_dumps = no
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+ auto_limit_acct = no
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/mods-enabled/
+}
+
+# Policies
+policy {
+ $INCLUDE policy.d/
+}
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
index 59a874b3e..4c2c7ebb4 100644
--- a/testing/hosts/alice/etc/freeradius/dictionary
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -11,7 +11,7 @@
#
# The filename given here should be an absolute path.
#
-$INCLUDE /usr/local/share/freeradius/dictionary
+$INCLUDE /usr/share/freeradius/dictionary
#
# Place additional attributes or $INCLUDEs here. They will
diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
index e4f721738..bcdc369d2 100644
--- a/testing/hosts/alice/etc/freeradius/radiusd.conf
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -101,8 +101,6 @@ thread pool {
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
- $INCLUDE sql.conf
- $INCLUDE sql/mysql/counter.conf
}
# Instantiation
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index 46b1f0231..cc6f43541 100644
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -1,7 +1,7 @@
Port 22
Protocol 2
+Ciphers aes128-gcm@openssh.com
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation no
PermitRootLogin yes
diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector
index c522de874..df1462862 100755
--- a/testing/hosts/default/usr/local/bin/init_collector
+++ b/testing/hosts/default/usr/local/bin/init_collector
@@ -1,4 +1,6 @@
#! /bin/sh
cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db
+sed -i "s:DEBIAN_VERSION:`cat /etc/debian_version`:" /etc/pts/collector.sql
+cat /etc/pts/collector.sql | sqlite3 /etc/db.d/collector.db
LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector
diff --git a/testing/hosts/venus/etc/default/isc-dhcp-server b/testing/hosts/venus/etc/default/isc-dhcp-server
new file mode 100644
index 000000000..57a5c81f9
--- /dev/null
+++ b/testing/hosts/venus/etc/default/isc-dhcp-server
@@ -0,0 +1,3 @@
+# explicitly set an interface to avoid having to configure and run DHCPv6
+INTERFACESv4="eth0"
+INTERFACESv6=""
diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
index 68438a656..e362e138c 100644
--- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
+++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf
@@ -2,3 +2,4 @@ AddType text/plain .conf .log .sql .users
AddType text/plain .secrets .listall .statusall
AddType text/plain .conns .certs .sas .pools .authorities .stats
AddType text/plain .policy .state .route .iptables .iptables-save
+AddType text/plain .eap .default .inner-tunnel
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
deleted file mode 100644
index 68438a656..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
+++ /dev/null
@@ -1,4 +0,0 @@
-AddType text/plain .conf .log .sql .users
-AddType text/plain .secrets .listall .statusall
-AddType text/plain .conns .certs .sas .pools .authorities .stats
-AddType text/plain .policy .state .route .iptables .iptables-save
diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
index 0772c34ea..fb9e98424 100644
--- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf
@@ -12,13 +12,7 @@ AddHandler cgi-script .cgi
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
@@ -34,13 +28,7 @@ Listen 8881
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/research/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
@@ -56,13 +44,7 @@ Listen 8882
DirectoryIndex ocsp.cgi
<Directory "/etc/openssl/sales/ocsp">
Options +ExecCGI
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Directory>
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
index 260171cfd..b610836fc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/duck
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -154,7 +146,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
index d31752e30..ddd94d061 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/ecdsa
+CAHOME = /etc/openssl/ecdsa
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl
diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
index 5985b5650..170daba56 100644
--- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/monster
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -156,7 +148,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan-monster.crl
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 9078b2043..b1ef68a11 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl
+CAHOME = /etc/openssl
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -157,7 +149,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 7099413f0..f5ae64e36 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME = /etc/openssl/research
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
crlDistributionPoints = URI:http://crl.strongswan.org/research.crl
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 12da734aa..11ff172ac 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/rfc3779
+CAHOME = /etc/openssl/rfc3779
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -113,12 +105,12 @@ organizationName = Organization Name (eg, company)
organizationName_default = Linux strongSwan
0.organizationalUnitName = Organizational Unit Name (eg, section)
-0.organizationalUnitName_default = RFC3779
+0.organizationalUnitName_default = RFC3779
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -173,7 +165,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index f3ec7e168..f1d080c0b 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -1,19 +1,11 @@
-# openssl.cnf - OpenSSL configuration file for the ZHW PKI
-# Mario Strasser <mario.strasser@zhwin.ch>
-#
+# openssl.cnf - OpenSSL configuration file
+#
# This definitions were set by the ca_init script DO NOT change
# them manually.
-CAHOME = /etc/openssl/sales
+CAHOME = /etc/openssl/sales
RANDFILE = $CAHOME/.rand
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-
-[ new_oids ]
-SmartcardLogin = 1.3.6.1.4.1.311.20.2
-ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
-
####################################################################
[ ca ]
@@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section
####################################################################
-[ root_ca ]
+[ root_ca ]
dir = $CAHOME
certs = $dir/certs # Where the issued certs are kept
@@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert
# req_extensions = v3_req # The extensions to add to a certificate request
-# This sets a mask for permitted string types. There are several options.
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
@@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan
#1.organizationalUnitName = Type (eg, Staff)
#1.organizationalUnitName_default = Staff
-#userId = UID
+#userId = UID
commonName = Common Name (eg, YOUR name)
commonName_default = $ENV::COMMON_NAME
@@ -155,7 +147,7 @@ basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
+subjectAltName = email:$ENV::COMMON_NAME
crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
#authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 95453d620..7c30758bf 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -12,29 +12,34 @@ running_any $STRONGSWANHOSTS && die "Please stop test environment before running
check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
# package includes/excludes
-INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less
+INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales
INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev
-INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen
+INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop
INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev
INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
+INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute
case "$BASEIMGSUITE" in
-wheezy)
- INC=$INC,libxerces-c2-dev,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
- INC=$INC,libalog0.4.1-base-dev
- ;;
jessie)
- INC=$INC,libxerces-c-dev,libahven4-dev,libxmlada5-dev,libgmpada5-dev
- INC=$INC,libalog1-dev,libgcrypt20-dev
+ INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev
+ INC=$INC,libalog1-dev
+ ;;
+stretch)
+ INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev
+ INC=$INC,libalog2-dev
;;
*)
echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
esac
-SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius"
INC=$INC,${SERVICES// /,}
+# packages to install via APT, for SWIMA tests
+APT="tmux"
+# additional services to disable
+SERVICES="$SERVICES systemd-timesyncd.service"
CACHEDIR=$BUILDDIR/cache
APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -86,6 +91,13 @@ execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $
execute "mount -t proc none $LOOPDIR/proc" 0
do_on_exit graceful_umount $LOOPDIR/proc
+log_action "Generating locales"
+cat > $LOOPDIR/etc/locale.gen << EOF
+de_CH.UTF-8 UTF-8
+en_US.UTF-8 UTF-8
+EOF
+execute_chroot "locale-gen"
+
log_action "Downloading signing key for custom apt repo"
execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key"
log_action "Installing signing key for custom apt repo"
@@ -107,18 +119,15 @@ log_status $?
log_action "Update package sources"
execute_chroot "apt-get update"
+log_action "Install packages via APT"
+execute_chroot "apt-get -y install $APT"
log_action "Install packages from custom repo"
execute_chroot "apt-get -y upgrade"
for service in $SERVICES
do
log_action "Disabling service $service"
- if [ "$BASEIMGSUITE" == "wheezy" ]
- then
- execute_chroot "update-rc.d -f $service remove"
- else
- execute_chroot "systemctl disable $service"
- fi
+ execute_chroot "systemctl disable $service"
done
log_action "Disabling root password"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index 7dd7188c2..5116d095e 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -76,12 +76,7 @@ do
for service in "apache2 slapd bind9"
do
- if [ "$BASEIMGSUITE" == "wheezy" ]
- then
- execute_chroot "update-rc.d $service defaults" 0
- else
- execute_chroot "systemctl enable $service" 0
- fi
+ execute_chroot "systemctl enable $service" 0
done
fi
sync
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
index a84104a90..c6c41ada3 100755
--- a/testing/scripts/build-rootimage
+++ b/testing/scripts/build-rootimage
@@ -55,8 +55,11 @@ do_on_exit umount $LOOPDIR/root/shared
echo "Installing software from source"
RECPDIR=$DIR/recipes
+if [ -d "$RECPDIR/patches" ]
+then
+ execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+fi
RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
-execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
for r in $RECIPES
do
cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
deleted file mode 100644
index b835958b7..000000000
--- a/testing/scripts/recipes/001_libtnc.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/make
-
-PV = 1.25
-PKG = libtnc-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- --sysconfdir=/etc
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-unpacked
- cd $(PKG) && ./configure $(CONFIG_OPTS)
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
deleted file mode 100644
index d4ed4f99c..000000000
--- a/testing/scripts/recipes/002_tnc-fhh.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/make
-
-PKG = fhhtnc
-SRC = git://github.com/trustatfhh/tnc-fhh.git
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- -DCOMPONENT=all \
- -DNAL=8021x
-
-PATCHES = \
- tnc-fhh-tncsim
-
-all: install
-
-.$(PKG)-cloned:
- git clone $(SRC) $(PKG)
- mkdir $(PKG)/build
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-cloned
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/build && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
deleted file mode 100644
index 71cfc238c..000000000
--- a/testing/scripts/recipes/003_freeradius.mk
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.2.8
-PKG = freeradius-server-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS = \
- --with-raddbdir=/etc/freeradius \
- --sysconfdir=/etc \
- --with-logdir=/var/log/freeradius \
- --enable-developer \
- --with-experimental-modules
-
-PATCHES = \
- freeradius-eap-sim-identity \
- freeradius-tnc-fhh
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfj $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cd $(PKG) && ./configure $(CONFIG_OPTS)
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_hostapd.mk b/testing/scripts/recipes/004_hostapd.mk
deleted file mode 100644
index 0acd428c9..000000000
--- a/testing/scripts/recipes/004_hostapd.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.0
-PKG = hostapd-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
- hostapd-config
-
-SUBDIR = hostapd
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk
deleted file mode 100644
index 4cc870c12..000000000
--- a/testing/scripts/recipes/004_wpa_supplicant.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/make
-
-PV = 2.0
-PKG = wpa_supplicant-$(PV)
-TAR = $(PKG).tar.gz
-SRC = http://w1.fi/releases/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
- wpa_supplicant-eap-tnc
-
-SUBDIR = wpa_supplicant
-
-all: install
-
-$(TAR):
- wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
- tar xfz $(TAR)
- @touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
- cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
- @touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
- cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
- @touch $@
-
-.$(PKG)-built: .$(PKG)-configured
- cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
- @touch $@
-
-install: .$(PKG)-built
- cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk
index a6af5df5c..b311c0a99 100644
--- a/testing/scripts/recipes/005_anet.mk
+++ b/testing/scripts/recipes/005_anet.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make LIBRARY_KIND=static
@touch $@
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
index 5f2e207c8..ed2a62396 100644
--- a/testing/scripts/recipes/006_tkm-rpc.mk
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk
index 7899f6dec..57a106dea 100644
--- a/testing/scripts/recipes/007_x509-ada.mk
+++ b/testing/scripts/recipes/007_x509-ada.mk
@@ -8,14 +8,15 @@ PREFIX = /usr/local/ada
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make tests && make
@touch $@
diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk
index ad1cbb2bc..64ada0e45 100644
--- a/testing/scripts/recipes/008_xfrm-ada.mk
+++ b/testing/scripts/recipes/008_xfrm-ada.mk
@@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk
index a7c9d31cc..bdf5b1211 100644
--- a/testing/scripts/recipes/009_xfrm-proxy.mk
+++ b/testing/scripts/recipes/009_xfrm-proxy.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index 03ee5b526..2651660db 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && make
@touch $@
diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk
index ef0f6d066..215e92365 100644
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@@ -2,8 +2,7 @@
PKG = botan
SRC = https://github.com/randombit/$(PKG).git
-# will have to be changed to the 2.8.0 tag later
-REV = 1872f899716854927ecc68022fac318735be8824
+REV = 2.8.0
NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
@@ -15,14 +14,15 @@ CONFIG_OPTS = \
all: install
-$(PKG):
- git clone $(SRC) $(PKG)
+.$(PKG)-cloned:
+ [ -d $(PKG) ] || git clone $(SRC) $(PKG)
+ @touch $@
-.$(PKG)-cloned-$(REV): $(PKG)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
cd $(PKG) && git fetch && git checkout $(REV)
@touch $@
-.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV)
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
cd $(PKG) && python ./configure.py $(CONFIG_OPTS) && make -j $(NUM_CPUS)
@touch $@
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
deleted file mode 100644
index 1ab95ecc6..000000000
--- a/testing/scripts/recipes/patches/freeradius-eap-sim-identity
+++ /dev/null
@@ -1,30 +0,0 @@
---- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:03:05.081225276 +0100
-+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:46:59.746289881 +0100
-@@ -246,14 +246,21 @@
- newvp->vp_integer = ess->sim_id++;
- pairreplace(outvps, newvp);
-
-+ ess->keys.identitylen = strlen(handler->identity);
-+ memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+
- /* make a copy of the identity */
- newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
-- if (newvp) {
-- ess->keys.identitylen = newvp->length;
-- memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
-- } else {
-- ess->keys.identitylen = strlen(handler->identity);
-- memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
-+ if (newvp && newvp->length > 2) {
-+ uint16_t len;
-+
-+ memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
-+ len = ntohs(len);
-+ if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
-+ ess->keys.identitylen = len;
-+ memcpy(ess->keys.identity, newvp->vp_octets + 2,
-+ ess->keys.identitylen);
-+ }
- }
-
- /* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
deleted file mode 100644
index 26a233d48..000000000
--- a/testing/scripts/recipes/patches/freeradius-tnc-fhh
+++ /dev/null
@@ -1,6687 +0,0 @@
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
---- freeradius-server-2.2.0.orig/share/dictionary 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/share/dictionary 2012-12-04 19:39:42.261423097 +0100
-@@ -196,6 +196,7 @@
- $INCLUDE dictionary.starent
- $INCLUDE dictionary.symbol
- $INCLUDE dictionary.telebit
-+$INCLUDE dictionary.tncfhh
- $INCLUDE dictionary.terena
- $INCLUDE dictionary.trapeze
- $INCLUDE dictionary.tropos
-diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
---- freeradius-server-2.2.0.orig/share/dictionary.tncfhh 1970-01-01 01:00:00.000000000 +0100
-+++ freeradius-server-2.2.0/share/dictionary.tncfhh 2012-12-04 19:39:49.645421869 +0100
-@@ -0,0 +1,20 @@
-+# -*- text -*-
-+# Dictionary for the tnc@fhh Server.
-+#
-+# Website: http://trust.inform.fh-hannover.de
-+#
-+# Version: 0.8.4
-+# Author: Bastian Hellmann
-+# Email: trust@f4-i.fh-hannover.de
-+#
-+
-+VENDOR tncfhh 10000
-+BEGIN-VENDOR tncfhh
-+
-+ATTRIBUTE TNC-Status 1 integer
-+
-+VALUE TNC-Status Access 0
-+VALUE TNC-Status Isolate 1
-+VALUE TNC-Status None 2
-+
-+END-VENDOR tncfhh
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-12-04 19:38:00.237420970 +0100
-@@ -1,61 +1,84 @@
- #! /bin/sh
- # From configure.in Revision.
- # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.61.
-+# Generated by GNU Autoconf 2.67.
-+#
- #
- # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-+# Foundation, Inc.
-+#
-+#
- # This configure script is free software; the Free Software Foundation
- # gives unlimited permission to copy, distribute and modify it.
--## --------------------- ##
--## M4sh Initialization. ##
--## --------------------- ##
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
-
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
- # is contrary to our usage. Disable this feature.
- alias -g '${1+"$@"}'='"$@"'
- setopt NO_GLOB_SUBST
- else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
-+ case `(set -o) 2>/dev/null` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
- esac
--
- fi
-
-
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
-- echo "#! /bin/sh" >conf$$.sh
-- echo "exit 0" >>conf$$.sh
-- chmod +x conf$$.sh
-- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-- PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='print -r --'
-+ as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='printf %s\n'
-+ as_echo_n='printf %s'
-+else
-+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+ as_echo_n='/usr/ucb/echo -n'
- else
-- PATH_SEPARATOR=:
-+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+ as_echo_n_body='eval
-+ arg=$1;
-+ case $arg in #(
-+ *"$as_nl"*)
-+ expr "X$arg" : "X\\(.*\\)$as_nl";
-+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+ esac;
-+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+ '
-+ export as_echo_n_body
-+ as_echo_n='sh -c $as_echo_n_body as_echo'
- fi
-- rm -f conf$$.sh
-+ export as_echo_body
-+ as_echo='sh -c $as_echo_body as_echo'
- fi
-
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-- as_unset=unset
--else
-- as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+ PATH_SEPARATOR=:
-+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+ PATH_SEPARATOR=';'
-+ }
- fi
-
-
-@@ -64,20 +87,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" "" $as_nl"
-
- # Find who we are. Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+ done
- IFS=$as_save_IFS
-
- ;;
-@@ -88,354 +109,321 @@
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
-- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-- { (exit 1); exit 1; }
-+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+ exit 1
- fi
-
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there. '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
-
- # NLS nuisances.
--for as_var in \
-- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-- LC_TELEPHONE LC_TIME
--do
-- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-- eval $as_var=C; export $as_var
-- else
-- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-- fi
--done
--
--# Required to use basename.
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
--if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-- as_basename=basename
--else
-- as_basename=false
--fi
--
--
--# Name of the executable.
--as_me=`$as_basename -- "$0" ||
--$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-- X"$0" : 'X\(//\)$' \| \
-- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
-- sed '/^.*\/\([^/][^/]*\)\/*$/{
-- s//\1/
-- q
-- }
-- /^X\/\(\/\/\)$/{
-- s//\1/
-- q
-- }
-- /^X\/\(\/\).*/{
-- s//\1/
-- q
-- }
-- s/.*/./; q'`
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
-
- # CDPATH.
--$as_unset CDPATH
--
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
- if test "x$CONFIG_SHELL" = x; then
-- if (eval ":") 2>/dev/null; then
-- as_have_required=yes
-+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
-+ emulate sh
-+ NULLCMD=:
-+ # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
-+ # is contrary to our usage. Disable this feature.
-+ alias -g '\${1+\"\$@\"}'='\"\$@\"'
-+ setopt NO_GLOB_SUBST
- else
-- as_have_required=no
-+ case \`(set -o) 2>/dev/null\` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
-+esac
- fi
--
-- if test $as_have_required = yes && (eval ":
--(as_func_return () {
-- (exit \$1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
--}
-+"
-+ as_required="as_fn_return () { (exit \$1); }
-+as_fn_success () { as_fn_return 0; }
-+as_fn_failure () { as_fn_return 1; }
-+as_fn_ret_success () { return 0; }
-+as_fn_ret_failure () { return 1; }
-
- exitcode=0
--if as_func_success; then
-- :
--else
-- exitcode=1
-- echo as_func_success failed.
--fi
--
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
--fi
--
--if as_func_ret_success; then
-- :
--else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
--fi
--
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-- :
-+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
-+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
-+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
-+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
-+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
-+
-+else
-+ exitcode=1; echo positional parameters were not saved.
-+fi
-+test x\$exitcode = x0 || exit 1"
-+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
-+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
-+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
-+ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-+test \$(( 1 + 1 )) = 2 || exit 1"
-+ if (eval "$as_required") 2>/dev/null; then :
-+ as_have_required=yes
- else
-- exitcode=1
-- echo positional parameters were not saved.
-+ as_have_required=no
- fi
-+ if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
-
--test \$exitcode = 0) || { (exit 1); exit 1; }
--
--(
-- as_lineno_1=\$LINENO
-- as_lineno_2=\$LINENO
-- test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
-- test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
--") 2> /dev/null; then
-- :
- else
-- as_candidate_shells=
-- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+as_found=false
- for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- case $as_dir in
-+ as_found=:
-+ case $as_dir in #(
- /*)
- for as_base in sh bash ksh sh5; do
-- as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
-+ # Try only shells that exist, to save several forks.
-+ as_shell=$as_dir/$as_base
-+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+ CONFIG_SHELL=$as_shell as_have_required=yes
-+ if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
-+ break 2
-+fi
-+fi
- done;;
- esac
-+ as_found=false
- done
-+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
-+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
-+ CONFIG_SHELL=$SHELL as_have_required=yes
-+fi; }
- IFS=$as_save_IFS
-
-
-- for as_shell in $as_candidate_shells $SHELL; do
-- # Try only shells that exist, to save several forks.
-- if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-- { ("$as_shell") 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-- emulate sh
-- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-- # is contrary to our usage. Disable this feature.
-- alias -g '${1+"$@"}'='"$@"'
-- setopt NO_GLOB_SUBST
--else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
--esac
--
-+ if test "x$CONFIG_SHELL" != x; then :
-+ # We cannot yet assume a decent shell, so we have to provide a
-+ # neutralization value for shells without unset; and this also
-+ # works around shells that cannot unset nonexistent variables.
-+ BASH_ENV=/dev/null
-+ ENV=/dev/null
-+ (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-+ export CONFIG_SHELL
-+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
-+fi
-+
-+ if test x$as_have_required = xno; then :
-+ $as_echo "$0: This script requires a shell more modern than all"
-+ $as_echo "$0: the shells that I found on your system."
-+ if test x${ZSH_VERSION+set} = xset ; then
-+ $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
-+ $as_echo "$0: be upgraded to zsh 4.3.4 or later."
-+ else
-+ $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
-+$0: including any error possibly output before this
-+$0: message. Then install a modern shell, or manually run
-+$0: the script under such a shell if you do have one."
-+ fi
-+ exit 1
- fi
--
--
--:
--_ASEOF
--}; then
-- CONFIG_SHELL=$as_shell
-- as_have_required=yes
-- if { "$as_shell" 2> /dev/null <<\_ASEOF
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-- emulate sh
-- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-- # is contrary to our usage. Disable this feature.
-- alias -g '${1+"$@"}'='"$@"'
-- setopt NO_GLOB_SUBST
--else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
--esac
--
- fi
-+fi
-+SHELL=${CONFIG_SHELL-/bin/sh}
-+export SHELL
-+# Unset more variables known to interfere with behavior of common tools.
-+CLICOLOR_FORCE= GREP_OPTIONS=
-+unset CLICOLOR_FORCE GREP_OPTIONS
-
--
--:
--(as_func_return () {
-- (exit $1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
-+## --------------------- ##
-+## M4sh Shell Functions. ##
-+## --------------------- ##
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+ { eval $1=; unset $1;}
- }
-+as_unset=as_fn_unset
-
--exitcode=0
--if as_func_success; then
-- :
--else
-- exitcode=1
-- echo as_func_success failed.
--fi
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+ return $1
-+} # as_fn_set_status
-
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
--fi
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+ set +e
-+ as_fn_set_status $1
-+ exit $1
-+} # as_fn_exit
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
-
--if as_func_ret_success; then
-- :
--else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
-+ case $as_dir in #(
-+ -*) as_dir=./$as_dir;;
-+ esac
-+ test -d "$as_dir" || eval $as_mkdir_p || {
-+ as_dirs=
-+ while :; do
-+ case $as_dir in #(
-+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+ *) as_qdir=$as_dir;;
-+ esac
-+ as_dirs="'$as_qdir' $as_dirs"
-+ as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_dir" : 'X\(//\)[^/]' \| \
-+ X"$as_dir" : 'X\(//\)$' \| \
-+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)[^/].*/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-+ test -d "$as_dir" && break
-+ done
-+ test -z "$as_dirs" || eval "mkdir $as_dirs"
-+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
-
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
--fi
-
--if ( set x; as_func_ret_success y && test x = "$1" ); then
-- :
-+} # as_fn_mkdir_p
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+ eval 'as_fn_append ()
-+ {
-+ eval $1+=\$2
-+ }'
- else
-- exitcode=1
-- echo positional parameters were not saved.
--fi
--
--test $exitcode = 0) || { (exit 1); exit 1; }
--
--(
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
--
--_ASEOF
--}; then
-- break
--fi
--
--fi
--
-- done
--
-- if test "x$CONFIG_SHELL" != x; then
-- for as_var in BASH_ENV ENV
-- do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-- done
-- export CONFIG_SHELL
-- exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
--fi
--
--
-- if test $as_have_required = no; then
-- echo This script requires a shell more modern than all the
-- echo shells that I found on your system. Please install a
-- echo modern shell, or manually run the script under such a
-- echo shell if you do have one.
-- { (exit 1); exit 1; }
--fi
--
--
--fi
--
--fi
--
-+ as_fn_append ()
-+ {
-+ eval $1=\$$1\$2
-+ }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+ eval 'as_fn_arith ()
-+ {
-+ as_val=$(( $* ))
-+ }'
-+else
-+ as_fn_arith ()
-+ {
-+ as_val=`expr "$@" || test $? -eq 1`
-+ }
-+fi # as_fn_arith
-
-
--(eval "as_func_return () {
-- (exit \$1)
--}
--as_func_success () {
-- as_func_return 0
--}
--as_func_failure () {
-- as_func_return 1
--}
--as_func_ret_success () {
-- return 0
--}
--as_func_ret_failure () {
-- return 1
--}
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+ as_status=$1; test $as_status -eq 0 && as_status=1
-+ if test "$4"; then
-+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
-+ fi
-+ $as_echo "$as_me: error: $2" >&2
-+ as_fn_exit $as_status
-+} # as_fn_error
-
--exitcode=0
--if as_func_success; then
-- :
-+if expr a : '\(a\)' >/dev/null 2>&1 &&
-+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
-+ as_expr=expr
- else
-- exitcode=1
-- echo as_func_success failed.
--fi
--
--if as_func_failure; then
-- exitcode=1
-- echo as_func_failure succeeded.
-+ as_expr=false
- fi
-
--if as_func_ret_success; then
-- :
-+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-+ as_basename=basename
- else
-- exitcode=1
-- echo as_func_ret_success failed.
--fi
--
--if as_func_ret_failure; then
-- exitcode=1
-- echo as_func_ret_failure succeeded.
-+ as_basename=false
- fi
-
--if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-- :
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+ as_dirname=dirname
- else
-- exitcode=1
-- echo positional parameters were not saved.
-+ as_dirname=false
- fi
-
--test \$exitcode = 0") || {
-- echo No shell found that supports shell functions.
-- echo Please tell autoconf@gnu.org about your system,
-- echo including any error possibly output before this
-- echo message
--}
-+as_me=`$as_basename -- "$0" ||
-+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-+ X"$0" : 'X\(//\)$' \| \
-+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X/"$0" |
-+ sed '/^.*\/\([^/][^/]*\)\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\/\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\/\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
-- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-- # uniformly replaced by the line number. The first 'sed' inserts a
-- # line-number line after each line using $LINENO; the second 'sed'
-- # does the real work. The second script uses 'N' to pair each
-- # line-number line with the line containing $LINENO, and appends
-- # trailing '-' during substitution so that $LINENO is not a special
-- # case at line end.
-- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-- # scripts with optimization help from Paolo Bonzini. Blame Lee
-- # E. McMahon (1931-1989) for sed's syntax. :-)
-+ as_lineno_1=$LINENO as_lineno_1a=$LINENO
-+ as_lineno_2=$LINENO as_lineno_2a=$LINENO
-+ eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
-+ test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
-+ # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-)
- sed -n '
- p
- /[$]LINENO/=
-@@ -452,8 +440,7 @@
- s/-\n.*//
- ' >$as_me.lineno &&
- chmod +x "$as_me.lineno" ||
-- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-- { (exit 1); exit 1; }; }
-+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
-
- # Don't try to exec as it changes $[0], causing all sort of problems
- # (the dirname of $[0] is not the place where we might find the
-@@ -463,49 +450,40 @@
- exit
- }
-
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-- as_dirname=dirname
--else
-- as_dirname=false
--fi
--
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
-- case `echo 'x\c'` in
-+ case `echo 'xy\c'` in
- *c*) ECHO_T=' ';; # ECHO_T is single tab character.
-- *) ECHO_C='\c';;
-+ xy) ECHO_C='\c';;
-+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+ ECHO_T=' ';;
- esac;;
- *)
- ECHO_N='-n';;
- esac
-
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
- rm -f conf$$.dir/conf$$.file
- else
- rm -f conf$$.dir
-- mkdir conf$$.dir
-+ mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s='ln -s'
-- # ... but there are two gotchas:
-- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+ if ln -s conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s='ln -s'
-+ # ... but there are two gotchas:
-+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+ # In both cases, we have to default to `cp -p'.
-+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+ as_ln_s='cp -p'
-+ elif ln conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s=ln
-+ else
- as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s=ln
-+ fi
- else
- as_ln_s='cp -p'
- fi
-@@ -513,7 +491,7 @@
- rmdir conf$$.dir 2>/dev/null
-
- if mkdir -p . 2>/dev/null; then
-- as_mkdir_p=:
-+ as_mkdir_p='mkdir -p "$as_dir"'
- else
- test -d ./-p && rmdir ./-p
- as_mkdir_p=false
-@@ -530,12 +508,12 @@
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
-- test -d "$1/.";
-+ test -d "$1/.";
- else
-- case $1 in
-- -*)set "./$1";;
-+ case $1 in #(
-+ -*)set "./$1";;
- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-@@ -549,11 +527,11 @@
- as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
--
--exec 7<&0 </dev/null 6>&1
-+test -n "$DJDIR" || exec 7<&0 </dev/null
-+exec 6>&1
-
- # Name of the host.
--# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
- # so uname gets run too.
- ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-
-@@ -568,7 +546,6 @@
- subdirs=
- MFLAGS=
- MAKEFLAGS=
--SHELL=${CONFIG_SHELL-/bin/sh}
-
- # Identity of this package.
- PACKAGE_NAME=
-@@ -576,58 +553,102 @@
- PACKAGE_VERSION=
- PACKAGE_STRING=
- PACKAGE_BUGREPORT=
-+PACKAGE_URL=
-
- ac_unique_file="rlm_eap_tnc.c"
--ac_subst_vars='SHELL
--PATH_SEPARATOR
--PACKAGE_NAME
--PACKAGE_TARNAME
--PACKAGE_VERSION
--PACKAGE_STRING
--PACKAGE_BUGREPORT
--exec_prefix
--prefix
--program_transform_name
--bindir
--sbindir
--libexecdir
--datarootdir
--datadir
--sysconfdir
--sharedstatedir
--localstatedir
--includedir
--oldincludedir
--docdir
--infodir
--htmldir
--dvidir
--pdfdir
--psdir
--libdir
--localedir
--mandir
--DEFS
--ECHO_C
--ECHO_N
--ECHO_T
--LIBS
--build_alias
--host_alias
--target_alias
--CC
--CFLAGS
--LDFLAGS
--CPPFLAGS
--ac_ct_CC
--EXEEXT
--OBJEXT
--eap_tnc_cflags
--eap_tnc_ldflags
--targetname
-+# Factoring default headers for most tests.
-+ac_includes_default="\
-+#include <stdio.h>
-+#ifdef HAVE_SYS_TYPES_H
-+# include <sys/types.h>
-+#endif
-+#ifdef HAVE_SYS_STAT_H
-+# include <sys/stat.h>
-+#endif
-+#ifdef STDC_HEADERS
-+# include <stdlib.h>
-+# include <stddef.h>
-+#else
-+# ifdef HAVE_STDLIB_H
-+# include <stdlib.h>
-+# endif
-+#endif
-+#ifdef HAVE_STRING_H
-+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
-+# include <memory.h>
-+# endif
-+# include <string.h>
-+#endif
-+#ifdef HAVE_STRINGS_H
-+# include <strings.h>
-+#endif
-+#ifdef HAVE_INTTYPES_H
-+# include <inttypes.h>
-+#endif
-+#ifdef HAVE_STDINT_H
-+# include <stdint.h>
-+#endif
-+#ifdef HAVE_UNISTD_H
-+# include <unistd.h>
-+#endif"
-+
-+ac_subst_vars='LTLIBOBJS
- LIBOBJS
--LTLIBOBJS'
-+targetname
-+eap_tnc_ldflags
-+eap_tnc_cflags
-+EGREP
-+GREP
-+CPP
-+OBJEXT
-+EXEEXT
-+ac_ct_CC
-+CPPFLAGS
-+LDFLAGS
-+CFLAGS
-+CC
-+target_alias
-+host_alias
-+build_alias
-+LIBS
-+ECHO_T
-+ECHO_N
-+ECHO_C
-+DEFS
-+mandir
-+localedir
-+libdir
-+psdir
-+pdfdir
-+dvidir
-+htmldir
-+infodir
-+docdir
-+oldincludedir
-+includedir
-+localstatedir
-+sharedstatedir
-+sysconfdir
-+datadir
-+datarootdir
-+libexecdir
-+sbindir
-+bindir
-+program_transform_name
-+prefix
-+exec_prefix
-+PACKAGE_URL
-+PACKAGE_BUGREPORT
-+PACKAGE_STRING
-+PACKAGE_VERSION
-+PACKAGE_TARNAME
-+PACKAGE_NAME
-+PATH_SEPARATOR
-+SHELL'
- ac_subst_files=''
-+ac_user_opts='
-+enable_option_checking
-+'
- ac_precious_vars='build_alias
- host_alias
- target_alias
-@@ -635,12 +656,15 @@
- CFLAGS
- LDFLAGS
- LIBS
--CPPFLAGS'
-+CPPFLAGS
-+CPP'
-
-
- # Initialize some variables set by options.
- ac_init_help=
- ac_init_version=false
-+ac_unrecognized_opts=
-+ac_unrecognized_sep=
- # The variables have the same names as the options, with
- # dashes changed to underlines.
- cache_file=/dev/null
-@@ -696,8 +720,9 @@
- fi
-
- case $ac_option in
-- *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-- *) ac_optarg=yes ;;
-+ *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-+ *=) ac_optarg= ;;
-+ *) ac_optarg=yes ;;
- esac
-
- # Accept the important Cygnus configure options, so we can diagnose typos.
-@@ -739,13 +764,20 @@
- datarootdir=$ac_optarg ;;
-
- -disable-* | --disable-*)
-- ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-- { (exit 1); exit 1; }; }
-- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-- eval enable_$ac_feature=no ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid feature name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"enable_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval enable_$ac_useropt=no ;;
-
- -docdir | --docdir | --docdi | --doc | --do)
- ac_prev=docdir ;;
-@@ -758,13 +790,20 @@
- dvidir=$ac_optarg ;;
-
- -enable-* | --enable-*)
-- ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-- { (exit 1); exit 1; }; }
-- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-- eval enable_$ac_feature=\$ac_optarg ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid feature name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"enable_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval enable_$ac_useropt=\$ac_optarg ;;
-
- -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
- | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-@@ -955,22 +994,36 @@
- ac_init_version=: ;;
-
- -with-* | --with-*)
-- ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid package name: $ac_package" >&2
-- { (exit 1); exit 1; }; }
-- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-- eval with_$ac_package=\$ac_optarg ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid package name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"with_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval with_$ac_useropt=\$ac_optarg ;;
-
- -without-* | --without-*)
-- ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid package name: $ac_package" >&2
-- { (exit 1); exit 1; }; }
-- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-- eval with_$ac_package=no ;;
-+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-+ as_fn_error $? "invalid package name: $ac_useropt"
-+ ac_useropt_orig=$ac_useropt
-+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-+ case $ac_user_opts in
-+ *"
-+"with_$ac_useropt"
-+"*) ;;
-+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
-+ ac_unrecognized_sep=', ';;
-+ esac
-+ eval with_$ac_useropt=no ;;
-
- --x)
- # Obsolete; use --with-x.
-@@ -990,25 +1043,25 @@
- | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
- x_libraries=$ac_optarg ;;
-
-- -*) { echo "$as_me: error: unrecognized option: $ac_option
--Try \`$0 --help' for more information." >&2
-- { (exit 1); exit 1; }; }
-+ -*) as_fn_error $? "unrecognized option: \`$ac_option'
-+Try \`$0 --help' for more information"
- ;;
-
- *=*)
- ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
- # Reject names that are not valid shell variable names.
-- expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-- { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-- { (exit 1); exit 1; }; }
-+ case $ac_envvar in #(
-+ '' | [0-9]* | *[!_$as_cr_alnum]* )
-+ as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
-+ esac
- eval $ac_envvar=\$ac_optarg
- export $ac_envvar ;;
-
- *)
- # FIXME: should be removed in autoconf 3.0.
-- echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
- expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-- echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
- : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
- ;;
-
-@@ -1017,23 +1070,36 @@
-
- if test -n "$ac_prev"; then
- ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-- { echo "$as_me: error: missing argument to $ac_option" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "missing argument to $ac_option"
-+fi
-+
-+if test -n "$ac_unrecognized_opts"; then
-+ case $enable_option_checking in
-+ no) ;;
-+ fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
-+ *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
-+ esac
- fi
-
--# Be sure to have absolute directory names.
-+# Check all directory arguments for consistency.
- for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
- datadir sysconfdir sharedstatedir localstatedir includedir \
- oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
- do
- eval ac_val=\$$ac_var
-+ # Remove trailing slashes.
-+ case $ac_val in
-+ */ )
-+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
-+ eval $ac_var=\$ac_val;;
-+ esac
-+ # Be sure to have absolute directory names.
- case $ac_val in
- [\\/$]* | ?:[\\/]* ) continue;;
- NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
- esac
-- { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
- done
-
- # There might be people who depend on the old broken behavior: `$host'
-@@ -1047,8 +1113,8 @@
- if test "x$host_alias" != x; then
- if test "x$build_alias" = x; then
- cross_compiling=maybe
-- echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-- If a cross compiler is detected then cross compile mode will be used." >&2
-+ $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-+ If a cross compiler is detected then cross compile mode will be used" >&2
- elif test "x$build_alias" != "x$host_alias"; then
- cross_compiling=yes
- fi
-@@ -1063,23 +1129,21 @@
- ac_pwd=`pwd` && test -n "$ac_pwd" &&
- ac_ls_di=`ls -di .` &&
- ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-- { echo "$as_me: error: Working directory cannot be determined" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "working directory cannot be determined"
- test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-- { echo "$as_me: error: pwd does not report name of working directory" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "pwd does not report name of working directory"
-
-
- # Find the source files, if location was not specified.
- if test -z "$srcdir"; then
- ac_srcdir_defaulted=yes
- # Try the directory containing this script, then the parent directory.
-- ac_confdir=`$as_dirname -- "$0" ||
--$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-- X"$0" : 'X\(//\)[^/]' \| \
-- X"$0" : 'X\(//\)$' \| \
-- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$0" |
-+ ac_confdir=`$as_dirname -- "$as_myself" ||
-+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_myself" : 'X\(//\)[^/]' \| \
-+ X"$as_myself" : 'X\(//\)$' \| \
-+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_myself" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
-@@ -1106,13 +1170,11 @@
- fi
- if test ! -r "$srcdir/$ac_unique_file"; then
- test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
- fi
- ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
- ac_abs_confdir=`(
-- cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
-- { (exit 1); exit 1; }; }
-+ cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
- pwd)`
- # When building in place, set srcdir=.
- if test "$ac_abs_confdir" = "$ac_pwd"; then
-@@ -1152,7 +1214,7 @@
- --help=short display options specific to this package
- --help=recursive display the short help of all the included packages
- -V, --version display version information and exit
-- -q, --quiet, --silent do not print \`checking...' messages
-+ -q, --quiet, --silent do not print \`checking ...' messages
- --cache-file=FILE cache test results in FILE [disabled]
- -C, --config-cache alias for \`--cache-file=config.cache'
- -n, --no-create do not create output files
-@@ -1160,9 +1222,9 @@
-
- Installation directories:
- --prefix=PREFIX install architecture-independent files in PREFIX
-- [$ac_default_prefix]
-+ [$ac_default_prefix]
- --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
-- [PREFIX]
-+ [PREFIX]
-
- By default, \`make install' will install all the files in
- \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify
-@@ -1172,25 +1234,25 @@
- For better control, use the options below.
-
- Fine tuning of the installation directories:
-- --bindir=DIR user executables [EPREFIX/bin]
-- --sbindir=DIR system admin executables [EPREFIX/sbin]
-- --libexecdir=DIR program executables [EPREFIX/libexec]
-- --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
-- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
-- --localstatedir=DIR modifiable single-machine data [PREFIX/var]
-- --libdir=DIR object code libraries [EPREFIX/lib]
-- --includedir=DIR C header files [PREFIX/include]
-- --oldincludedir=DIR C header files for non-gcc [/usr/include]
-- --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
-- --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
-- --infodir=DIR info documentation [DATAROOTDIR/info]
-- --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
-- --mandir=DIR man documentation [DATAROOTDIR/man]
-- --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
-- --htmldir=DIR html documentation [DOCDIR]
-- --dvidir=DIR dvi documentation [DOCDIR]
-- --pdfdir=DIR pdf documentation [DOCDIR]
-- --psdir=DIR ps documentation [DOCDIR]
-+ --bindir=DIR user executables [EPREFIX/bin]
-+ --sbindir=DIR system admin executables [EPREFIX/sbin]
-+ --libexecdir=DIR program executables [EPREFIX/libexec]
-+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
-+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
-+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
-+ --libdir=DIR object code libraries [EPREFIX/lib]
-+ --includedir=DIR C header files [PREFIX/include]
-+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
-+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
-+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
-+ --infodir=DIR info documentation [DATAROOTDIR/info]
-+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
-+ --mandir=DIR man documentation [DATAROOTDIR/man]
-+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
-+ --htmldir=DIR html documentation [DOCDIR]
-+ --dvidir=DIR dvi documentation [DOCDIR]
-+ --pdfdir=DIR pdf documentation [DOCDIR]
-+ --psdir=DIR ps documentation [DOCDIR]
- _ACEOF
-
- cat <<\_ACEOF
-@@ -1207,12 +1269,14 @@
- LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
- nonstandard directory <lib dir>
- LIBS libraries to pass to the linker, e.g. -l<library>
-- CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
-+ CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
- you have headers in a nonstandard directory <include dir>
-+ CPP C preprocessor
-
- Use these variables to override the choices made by `configure' or to help
- it to find libraries and programs with nonstandard names/locations.
-
-+Report bugs to the package provider.
- _ACEOF
- ac_status=$?
- fi
-@@ -1220,15 +1284,17 @@
- if test "$ac_init_help" = "recursive"; then
- # If there are subdirs, report their specific --help.
- for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-- test -d "$ac_dir" || continue
-+ test -d "$ac_dir" ||
-+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
-+ continue
- ac_builddir=.
-
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
-- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
- # A ".." for each directory in $ac_dir_suffix.
-- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
- case $ac_top_builddir_sub in
- "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -1264,7 +1330,7 @@
- echo &&
- $SHELL "$ac_srcdir/configure" --help=recursive
- else
-- echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
- fi || ac_status=$?
- cd "$ac_pwd" || { ac_status=$?; break; }
- done
-@@ -1274,21 +1340,305 @@
- if $ac_init_version; then
- cat <<\_ACEOF
- configure
--generated by GNU Autoconf 2.61
-+generated by GNU Autoconf 2.67
-
--Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This configure script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it.
- _ACEOF
- exit
- fi
-+
-+## ------------------------ ##
-+## Autoconf initialization. ##
-+## ------------------------ ##
-+
-+# ac_fn_c_try_compile LINENO
-+# --------------------------
-+# Try to compile conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_compile ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext
-+ if { { ac_try="$ac_compile"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_compile") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest.$ac_objext; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_compile
-+
-+# ac_fn_c_try_link LINENO
-+# -----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_link ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext conftest$ac_exeext
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext && {
-+ test "$cross_compiling" = yes ||
-+ $as_test_x conftest$ac_exeext
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-+ # interfere with the next link command; also delete a directory that is
-+ # left behind by Apple's compiler. We do this before executing the actions.
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_link
-+
-+# ac_fn_c_try_cpp LINENO
-+# ----------------------
-+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_cpp ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if { { ac_try="$ac_cpp conftest.$ac_ext"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } > conftest.i && {
-+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_cpp
-+
-+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists, giving a warning if it cannot be compiled using
-+# the include files in INCLUDES and setting the cache variable VAR
-+# accordingly.
-+ac_fn_c_check_header_mongrel ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if eval "test \"\${$3+set}\"" = set; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+else
-+ # Is the header compilable?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
-+$as_echo_n "checking $2 usability... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ ac_header_compiler=yes
-+else
-+ ac_header_compiler=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
-+$as_echo "$ac_header_compiler" >&6; }
-+
-+# Is the header present?
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
-+$as_echo_n "checking $2 presence... " >&6; }
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ ac_header_preproc=yes
-+else
-+ ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
-+$as_echo "$ac_header_preproc" >&6; }
-+
-+# So? What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
-+ yes:no: )
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
-+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+ ;;
-+ no:yes:* )
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
-+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5
-+$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
-+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5
-+$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
-+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-+ ;;
-+esac
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ eval "$3=\$ac_header_compiler"
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+fi
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_mongrel
-+
-+# ac_fn_c_try_run LINENO
-+# ----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
-+# that executables *can* be run.
-+ac_fn_c_try_run ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
-+ { { case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_try") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: program exited with status $ac_status" >&5
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=$ac_status
-+fi
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_run
-+
-+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
-+# -------------------------------------------------------
-+# Tests whether HEADER exists and can be compiled using the include files in
-+# INCLUDES, setting the cache variable VAR accordingly.
-+ac_fn_c_check_header_compile ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-+$as_echo_n "checking for $2... " >&6; }
-+if eval "test \"\${$3+set}\"" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$4
-+#include <$2>
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ eval "$3=yes"
-+else
-+ eval "$3=no"
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+fi
-+eval ac_res=\$$3
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-+
-+} # ac_fn_c_check_header_compile
- cat >config.log <<_ACEOF
- This file contains any messages produced by compilers while
- running configure, to aid debugging if configure makes a mistake.
-
- It was created by $as_me, which was
--generated by GNU Autoconf 2.61. Invocation command line was
-+generated by GNU Autoconf 2.67. Invocation command line was
-
- $ $0 $@
-
-@@ -1324,8 +1674,8 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- echo "PATH: $as_dir"
--done
-+ $as_echo "PATH: $as_dir"
-+ done
- IFS=$as_save_IFS
-
- } >&5
-@@ -1359,12 +1709,12 @@
- | -silent | --silent | --silen | --sile | --sil)
- continue ;;
- *\'*)
-- ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
- esac
- case $ac_pass in
-- 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-+ 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
- 2)
-- ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-+ as_fn_append ac_configure_args1 " '$ac_arg'"
- if test $ac_must_keep_next = true; then
- ac_must_keep_next=false # Got value, back to normal.
- else
-@@ -1380,13 +1730,13 @@
- -* ) ac_must_keep_next=true ;;
- esac
- fi
-- ac_configure_args="$ac_configure_args '$ac_arg'"
-+ as_fn_append ac_configure_args " '$ac_arg'"
- ;;
- esac
- done
- done
--$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
--$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-+{ ac_configure_args0=; unset ac_configure_args0;}
-+{ ac_configure_args1=; unset ac_configure_args1;}
-
- # When interrupted or exit'd, cleanup temporary files, and complete
- # config.log. We remove comments because anyway the quotes in there
-@@ -1398,11 +1748,9 @@
- {
- echo
-
-- cat <<\_ASBOX
--## ---------------- ##
-+ $as_echo "## ---------------- ##
- ## Cache variables. ##
--## ---------------- ##
--_ASBOX
-+## ---------------- ##"
- echo
- # The following way of writing the cache mishandles newlines in values,
- (
-@@ -1411,12 +1759,13 @@
- case $ac_val in #(
- *${as_nl}*)
- case $ac_var in #(
-- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
- esac
- case $ac_var in #(
- _ | IFS | as_nl) ;; #(
-- *) $as_unset $ac_var ;;
-+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+ *) { eval $ac_var=; unset $ac_var;} ;;
- esac ;;
- esac
- done
-@@ -1435,128 +1784,136 @@
- )
- echo
-
-- cat <<\_ASBOX
--## ----------------- ##
-+ $as_echo "## ----------------- ##
- ## Output variables. ##
--## ----------------- ##
--_ASBOX
-+## ----------------- ##"
- echo
- for ac_var in $ac_subst_vars
- do
- eval ac_val=\$$ac_var
- case $ac_val in
-- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
- esac
-- echo "$ac_var='\''$ac_val'\''"
-+ $as_echo "$ac_var='\''$ac_val'\''"
- done | sort
- echo
-
- if test -n "$ac_subst_files"; then
-- cat <<\_ASBOX
--## ------------------- ##
-+ $as_echo "## ------------------- ##
- ## File substitutions. ##
--## ------------------- ##
--_ASBOX
-+## ------------------- ##"
- echo
- for ac_var in $ac_subst_files
- do
- eval ac_val=\$$ac_var
- case $ac_val in
-- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
- esac
-- echo "$ac_var='\''$ac_val'\''"
-+ $as_echo "$ac_var='\''$ac_val'\''"
- done | sort
- echo
- fi
-
- if test -s confdefs.h; then
-- cat <<\_ASBOX
--## ----------- ##
-+ $as_echo "## ----------- ##
- ## confdefs.h. ##
--## ----------- ##
--_ASBOX
-+## ----------- ##"
- echo
- cat confdefs.h
- echo
- fi
- test "$ac_signal" != 0 &&
-- echo "$as_me: caught signal $ac_signal"
-- echo "$as_me: exit $exit_status"
-+ $as_echo "$as_me: caught signal $ac_signal"
-+ $as_echo "$as_me: exit $exit_status"
- } >&5
- rm -f core *.core core.conftest.* &&
- rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
- exit $exit_status
- ' 0
- for ac_signal in 1 2 13 15; do
-- trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-+ trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
- done
- ac_signal=0
-
- # confdefs.h avoids OS command line length limits that DEFS can exceed.
- rm -f -r conftest* confdefs.h
-
-+$as_echo "/* confdefs.h */" > confdefs.h
-+
- # Predefined preprocessor variables.
-
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_NAME "$PACKAGE_NAME"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_VERSION "$PACKAGE_VERSION"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_STRING "$PACKAGE_STRING"
- _ACEOF
-
--
- cat >>confdefs.h <<_ACEOF
- #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
- _ACEOF
-
-+cat >>confdefs.h <<_ACEOF
-+#define PACKAGE_URL "$PACKAGE_URL"
-+_ACEOF
-+
-
- # Let the site file select an alternate cache file if it wants to.
--# Prefer explicitly selected file to automatically selected ones.
-+# Prefer an explicitly selected file to automatically selected ones.
-+ac_site_file1=NONE
-+ac_site_file2=NONE
- if test -n "$CONFIG_SITE"; then
-- set x "$CONFIG_SITE"
-+ # We do not want a PATH search for config.site.
-+ case $CONFIG_SITE in #((
-+ -*) ac_site_file1=./$CONFIG_SITE;;
-+ */*) ac_site_file1=$CONFIG_SITE;;
-+ *) ac_site_file1=./$CONFIG_SITE;;
-+ esac
- elif test "x$prefix" != xNONE; then
-- set x "$prefix/share/config.site" "$prefix/etc/config.site"
-+ ac_site_file1=$prefix/share/config.site
-+ ac_site_file2=$prefix/etc/config.site
- else
-- set x "$ac_default_prefix/share/config.site" \
-- "$ac_default_prefix/etc/config.site"
-+ ac_site_file1=$ac_default_prefix/share/config.site
-+ ac_site_file2=$ac_default_prefix/etc/config.site
- fi
--shift
--for ac_site_file
-+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
- do
-- if test -r "$ac_site_file"; then
-- { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
--echo "$as_me: loading site script $ac_site_file" >&6;}
-+ test "x$ac_site_file" = xNONE && continue
-+ if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
-+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
- sed 's/^/| /' "$ac_site_file" >&5
-- . "$ac_site_file"
-+ . "$ac_site_file" \
-+ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "failed to load site script $ac_site_file
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
- done
-
- if test -r "$cache_file"; then
-- # Some versions of bash will fail to source /dev/null (special
-- # files actually), so we avoid doing that.
-- if test -f "$cache_file"; then
-- { echo "$as_me:$LINENO: loading cache $cache_file" >&5
--echo "$as_me: loading cache $cache_file" >&6;}
-+ # Some versions of bash will fail to source /dev/null (special files
-+ # actually), so we avoid doing that. DJGPP emulates it as a regular file.
-+ if test /dev/null != "$cache_file" && test -f "$cache_file"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
-+$as_echo "$as_me: loading cache $cache_file" >&6;}
- case $cache_file in
- [\\/]* | ?:[\\/]* ) . "$cache_file";;
- *) . "./$cache_file";;
- esac
- fi
- else
-- { echo "$as_me:$LINENO: creating cache $cache_file" >&5
--echo "$as_me: creating cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
-+$as_echo "$as_me: creating cache $cache_file" >&6;}
- >$cache_file
- fi
-
-@@ -1570,60 +1927,56 @@
- eval ac_new_val=\$ac_env_${ac_var}_value
- case $ac_old_set,$ac_new_set in
- set,)
-- { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
- ac_cache_corrupted=: ;;
- ,set)
-- { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
--echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
-+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
- ac_cache_corrupted=: ;;
- ,);;
- *)
- if test "x$ac_old_val" != "x$ac_new_val"; then
-- { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
--echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-- { echo "$as_me:$LINENO: former value: $ac_old_val" >&5
--echo "$as_me: former value: $ac_old_val" >&2;}
-- { echo "$as_me:$LINENO: current value: $ac_new_val" >&5
--echo "$as_me: current value: $ac_new_val" >&2;}
-- ac_cache_corrupted=:
-+ # differences in whitespace do not lead to failure.
-+ ac_old_val_w=`echo x $ac_old_val`
-+ ac_new_val_w=`echo x $ac_new_val`
-+ if test "$ac_old_val_w" != "$ac_new_val_w"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
-+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-+ ac_cache_corrupted=:
-+ else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
-+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
-+ eval $ac_var=\$ac_old_val
-+ fi
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5
-+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5
-+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;}
- fi;;
- esac
- # Pass precious variables to config.status.
- if test "$ac_new_set" = set; then
- case $ac_new_val in
-- *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
- *) ac_arg=$ac_var=$ac_new_val ;;
- esac
- case " $ac_configure_args " in
- *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy.
-- *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-+ *) as_fn_append ac_configure_args " '$ac_arg'" ;;
- esac
- fi
- done
- if $ac_cache_corrupted; then
-- { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
--echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-- { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
--echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-- { (exit 1); exit 1; }; }
--fi
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
-+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-+ as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
-+fi
-+## -------------------- ##
-+## Main body of script. ##
-+## -------------------- ##
-
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -1635,6 +1988,9 @@
-
-
-
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_rlm_eap_tnc != xno; then
-
- ac_ext=c
-@@ -1645,10 +2001,10 @@
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1658,25 +2014,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="${ac_tool_prefix}gcc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1685,10 +2041,10 @@
- ac_ct_CC=$CC
- # Extract the first word of "gcc", so it can be a program name with args.
- set dummy gcc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1698,25 +2054,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_ac_ct_CC="gcc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
-- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
- if test "x$ac_ct_CC" = x; then
-@@ -1724,12 +2080,8 @@
- else
- case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
- CC=$ac_ct_CC
-@@ -1742,10 +2094,10 @@
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
- set dummy ${ac_tool_prefix}cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1755,25 +2107,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="${ac_tool_prefix}cc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1782,10 +2134,10 @@
- if test -z "$CC"; then
- # Extract the first word of "cc", so it can be a program name with args.
- set dummy cc; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1796,18 +2148,18 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
- ac_prog_rejected=yes
- continue
- fi
- ac_cv_prog_CC="cc"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- if test $ac_prog_rejected = yes; then
-@@ -1826,11 +2178,11 @@
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1841,10 +2193,10 @@
- do
- # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
- set dummy $ac_tool_prefix$ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-@@ -1854,25 +2206,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- CC=$ac_cv_prog_CC
- if test -n "$CC"; then
-- { echo "$as_me:$LINENO: result: $CC" >&5
--echo "${ECHO_T}$CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-+$as_echo "$CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1885,10 +2237,10 @@
- do
- # Extract the first word of "$ac_prog", so it can be a program name with args.
- set dummy $ac_prog; ac_word=$2
--{ echo "$as_me:$LINENO: checking for $ac_word" >&5
--echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
--if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-@@ -1898,25 +2250,25 @@
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_ac_ct_CC="$ac_prog"
-- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
- done
--done
-+ done
- IFS=$as_save_IFS
-
- fi
- fi
- ac_ct_CC=$ac_cv_prog_ac_ct_CC
- if test -n "$ac_ct_CC"; then
-- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
--echo "${ECHO_T}$ac_ct_CC" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-+$as_echo "$ac_ct_CC" >&6; }
- else
-- { echo "$as_me:$LINENO: result: no" >&5
--echo "${ECHO_T}no" >&6; }
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
- fi
-
-
-@@ -1928,12 +2280,8 @@
- else
- case $cross_compiling:$ac_tool_warned in
- yes:)
--{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&5
--echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
--whose name does not start with the host triplet. If you think this
--configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
- ac_tool_warned=yes ;;
- esac
- CC=$ac_ct_CC
-@@ -1943,51 +2291,37 @@
- fi
-
-
--test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&5
--echo "$as_me: error: no acceptable C compiler found in \$PATH
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "no acceptable C compiler found in \$PATH
-+See \`config.log' for more details" "$LINENO" 5 ; }
-
- # Provide some information about the compiler.
--echo "$as_me:$LINENO: checking for C compiler version" >&5
--ac_compiler=`set X $ac_compile; echo $2`
--{ (ac_try="$ac_compiler --version >&5"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler --version >&5") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
--{ (ac_try="$ac_compiler -v >&5"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler -v >&5") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
--{ (ac_try="$ac_compiler -V >&5"
-+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
-+set X $ac_compile
-+ac_compiler=$2
-+for ac_option in --version -v -V -qversion; do
-+ { { ac_try="$ac_compiler $ac_option >&5"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compiler -V >&5") 2>&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_compiler $ac_option >&5") 2>conftest.err
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }
-+ if test -s conftest.err; then
-+ sed '10a\
-+... rest of stderr output deleted ...
-+ 10q' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ fi
-+ rm -f conftest.er1 conftest.err
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }
-+done
-
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -1999,42 +2333,38 @@
- }
- _ACEOF
- ac_clean_files_save=$ac_clean_files
--ac_clean_files="$ac_clean_files a.out a.exe b.out"
-+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
- # Try to create an executable without -o first, disregard a.out.
- # It will help us diagnose broken compilers, and finding out an intuition
- # of exeext.
--{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
--echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
--ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
--#
--# List of possible output files, starting from the most likely.
--# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
--# only as a last resort. b.out is created by i960 compilers.
--ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
--#
--# The IRIX 6 linker writes into existing files which may not be
--# executable, retaining their permissions. Remove them first so a
--# subsequent execution test works.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
-+$as_echo_n "checking whether the C compiler works... " >&6; }
-+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-+
-+# The possible output files:
-+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
-+
- ac_rmfiles=
- for ac_file in $ac_files
- do
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
- * ) ac_rmfiles="$ac_rmfiles $ac_file";;
- esac
- done
- rm -f $ac_rmfiles
-
--if { (ac_try="$ac_link_default"
-+if { { ac_try="$ac_link_default"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_link_default") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
- # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
- # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
- # in a Makefile. We should not override ac_cv_exeext if it was cached,
-@@ -2044,14 +2374,14 @@
- do
- test -f "$ac_file" || continue
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
- ;;
- [ab].out )
- # We found the default executable, but exeext='' is most
- # certainly right.
- break;;
- *.* )
-- if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
-+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
- then :; else
- ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
- fi
-@@ -2070,116 +2400,132 @@
- else
- ac_file=''
- fi
--
--{ echo "$as_me:$LINENO: result: $ac_file" >&5
--echo "${ECHO_T}$ac_file" >&6; }
--if test -z "$ac_file"; then
-- echo "$as_me: failed program was:" >&5
-+if test -z "$ac_file"; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+$as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
-
--{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
--See \`config.log' for more details." >&5
--echo "$as_me: error: C compiler cannot create executables
--See \`config.log' for more details." >&2;}
-- { (exit 77); exit 77; }; }
--fi
--
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error 77 "C compiler cannot create executables
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
-+$as_echo_n "checking for C compiler default output file name... " >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
-+$as_echo "$ac_file" >&6; }
- ac_exeext=$ac_cv_exeext
-
-+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
-+ac_clean_files=$ac_clean_files_save
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
-+$as_echo_n "checking for suffix of executables... " >&6; }
-+if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
-+ # If both `conftest.exe' and `conftest' are `present' (well, observable)
-+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
-+# work properly (i.e., refer to `conftest.exe'), while it won't with
-+# `rm'.
-+for ac_file in conftest.exe conftest conftest.*; do
-+ test -f "$ac_file" || continue
-+ case $ac_file in
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
-+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-+ break;;
-+ * ) break;;
-+ esac
-+done
-+else
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+rm -f conftest conftest$ac_cv_exeext
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
-+$as_echo "$ac_cv_exeext" >&6; }
-+
-+rm -f conftest.$ac_ext
-+EXEEXT=$ac_cv_exeext
-+ac_exeext=$EXEEXT
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdio.h>
-+int
-+main ()
-+{
-+FILE *f = fopen ("conftest.out", "w");
-+ return ferror (f) || fclose (f) != 0;
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+ac_clean_files="$ac_clean_files conftest.out"
- # Check that the compiler produces executables we can run. If not, either
- # the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
--echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
--# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
--# If not cross compiling, check that we can run a simple program.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
-+$as_echo_n "checking whether we are cross compiling... " >&6; }
- if test "$cross_compiling" != yes; then
-- if { ac_try='./$ac_file'
-- { (case "(($ac_try" in
-+ { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }
-+ if { ac_try='./conftest$ac_cv_exeext'
-+ { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; }; then
- cross_compiling=no
- else
- if test "$cross_compiling" = maybe; then
- cross_compiling=yes
- else
-- { { echo "$as_me:$LINENO: error: cannot run C compiled programs.
--If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot run C compiled programs.
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot run C compiled programs.
- If you meant to cross compile, use \`--host'.
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
- fi
- fi
--{ echo "$as_me:$LINENO: result: yes" >&5
--echo "${ECHO_T}yes" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
-+$as_echo "$cross_compiling" >&6; }
-
--rm -f a.out a.exe conftest$ac_cv_exeext b.out
-+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
- ac_clean_files=$ac_clean_files_save
--# Check that the compiler produces executables we can run. If not, either
--# the compiler is broken, or we cross compile.
--{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
--echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
--{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
--echo "${ECHO_T}$cross_compiling" >&6; }
--
--{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
--echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
--if { (ac_try="$ac_link"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_link") 2>&5
-- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-- # If both `conftest.exe' and `conftest' are `present' (well, observable)
--# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
--# work properly (i.e., refer to `conftest.exe'), while it won't with
--# `rm'.
--for ac_file in conftest.exe conftest conftest.*; do
-- test -f "$ac_file" || continue
-- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-- *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-- break;;
-- * ) break;;
-- esac
--done
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
-+$as_echo_n "checking for suffix of object files... " >&6; }
-+if test "${ac_cv_objext+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
-- { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
--fi
--
--rm -f conftest$ac_cv_exeext
--{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
--echo "${ECHO_T}$ac_cv_exeext" >&6; }
--
--rm -f conftest.$ac_ext
--EXEEXT=$ac_cv_exeext
--ac_exeext=$EXEEXT
--{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
--echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
--if test "${ac_cv_objext+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
--else
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2191,51 +2537,46 @@
- }
- _ACEOF
- rm -f conftest.o conftest.obj
--if { (ac_try="$ac_compile"
-+if { { ac_try="$ac_compile"
- case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
- esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_compile") 2>&5
- ac_status=$?
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); }; then
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then :
- for ac_file in conftest.o conftest.obj conftest.*; do
- test -f "$ac_file" || continue;
- case $ac_file in
-- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
-+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
- *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
- break;;
- esac
- done
- else
-- echo "$as_me: failed program was:" >&5
-+ $as_echo "$as_me: failed program was:" >&5
- sed 's/^/| /' conftest.$ac_ext >&5
-
--{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&5
--echo "$as_me: error: cannot compute suffix of object files: cannot compile
--See \`config.log' for more details." >&2;}
-- { (exit 1); exit 1; }; }
-+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "cannot compute suffix of object files: cannot compile
-+See \`config.log' for more details" "$LINENO" 5 ; }
- fi
--
- rm -f conftest.$ac_cv_objext conftest.$ac_ext
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
--echo "${ECHO_T}$ac_cv_objext" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
-+$as_echo "$ac_cv_objext" >&6; }
- OBJEXT=$ac_cv_objext
- ac_objext=$OBJEXT
--{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
--echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
--if test "${ac_cv_c_compiler_gnu+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
-+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-+if test "${ac_cv_c_compiler_gnu+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2249,54 +2590,34 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_compiler_gnu=yes
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
-- ac_compiler_gnu=no
-+ ac_compiler_gnu=no
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
--echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
--GCC=`test $ac_compiler_gnu = yes && echo yes`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
-+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
-+if test $ac_compiler_gnu = yes; then
-+ GCC=yes
-+else
-+ GCC=
-+fi
- ac_test_CFLAGS=${CFLAGS+set}
- ac_save_CFLAGS=$CFLAGS
--{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
--echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_g+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
-+$as_echo_n "checking whether $CC accepts -g... " >&6; }
-+if test "${ac_cv_prog_cc_g+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_save_c_werror_flag=$ac_c_werror_flag
- ac_c_werror_flag=yes
- ac_cv_prog_cc_g=no
- CFLAGS="-g"
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2307,34 +2628,11 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_g=yes
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
-- CFLAGS=""
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ CFLAGS=""
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2345,35 +2643,12 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-- :
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+if ac_fn_c_try_compile "$LINENO"; then :
-
-- ac_c_werror_flag=$ac_save_c_werror_flag
-+else
-+ ac_c_werror_flag=$ac_save_c_werror_flag
- CFLAGS="-g"
-- cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
- int
-@@ -2384,42 +2659,18 @@
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_g=yes
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
--
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ac_c_werror_flag=$ac_save_c_werror_flag
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
-+$as_echo "$ac_cv_prog_cc_g" >&6; }
- if test "$ac_test_CFLAGS" = set; then
- CFLAGS=$ac_save_CFLAGS
- elif test $ac_cv_prog_cc_g = yes; then
-@@ -2435,18 +2686,14 @@
- CFLAGS=
- fi
- fi
--{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
--echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
--if test "${ac_cv_prog_cc_c89+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
-+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-+if test "${ac_cv_prog_cc_c89+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_cv_prog_cc_c89=no
- ac_save_CC=$CC
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
--_ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
- #include <stdarg.h>
- #include <stdio.h>
-@@ -2503,31 +2750,9 @@
- -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
- do
- CC="$ac_save_CC $ac_arg"
-- rm -f conftest.$ac_objext
--if { (ac_try="$ac_compile"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_compile") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest.$ac_objext; then
-+ if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_prog_cc_c89=$ac_arg
--else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
--
--
- fi
--
- rm -f core conftest.err conftest.$ac_objext
- test "x$ac_cv_prog_cc_c89" != "xno" && break
- done
-@@ -2538,17 +2763,19 @@
- # AC_CACHE_VAL
- case "x$ac_cv_prog_cc_c89" in
- x)
-- { echo "$as_me:$LINENO: result: none needed" >&5
--echo "${ECHO_T}none needed" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
-+$as_echo "none needed" >&6; } ;;
- xno)
-- { echo "$as_me:$LINENO: result: unsupported" >&5
--echo "${ECHO_T}unsupported" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
-+$as_echo "unsupported" >&6; } ;;
- *)
- CC="$CC $ac_cv_prog_cc_c89"
-- { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
--echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
-+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
- esac
-+if test "x$ac_cv_prog_cc_c89" != xno; then :
-
-+fi
-
- ac_ext=c
- ac_cpp='$CPP $CPPFLAGS'
-@@ -2557,81 +2784,474 @@
- ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
--
--{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
--echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
--if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
-- echo $ECHO_N "(cached) $ECHO_C" >&6
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
-+$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
-+if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
- else
- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lTNCS $LIBS"
--cat >conftest.$ac_ext <<_ACEOF
--/* confdefs.h. */
-+LIBS="-lnaaeap $LIBS"
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+ Use char because int might match the return type of a GCC
-+ builtin and then its argument prototype would still apply. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char processEAPTNCData ();
-+int
-+main ()
-+{
-+return processEAPTNCData ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_link "$LINENO"; then :
-+ ac_cv_lib_naaeap_processEAPTNCData=yes
-+else
-+ ac_cv_lib_naaeap_processEAPTNCData=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext \
-+ conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
-+$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
-+if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBNAAEAP 1
-+_ACEOF
-+
-+ LIBS="-lnaaeap $LIBS"
-+
-+else
-+ fail="$fail -lnaaeap"
-+fi
-+
-+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
-+$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
-+ fail="$fail -lNAAEAP"
-+ fi
-+
-+ ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
-+$as_echo_n "checking how to run the C preprocessor... " >&6; }
-+# On Suns, sometimes $CPP names a directory.
-+if test -n "$CPP" && test -d "$CPP"; then
-+ CPP=
-+fi
-+if test -z "$CPP"; then
-+ if test "${ac_cv_prog_CPP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ # Double quotes because CPP needs to be expanded
-+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-+ do
-+ ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+ # Use a header file that comes with gcc, so configuring glibc
-+ # with a fresh cross-compiler works.
-+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+ # <limits.h> exists even on freestanding compilers.
-+ # On the NeXT, cc -E runs the code through the compiler's parser,
-+ # not just through cpp. "Syntax error" is here to catch this case.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+ Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+ # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+ # OK, works on sane cases. Now check whether nonexistent headers
-+ # can be detected and how.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ # Broken: success on invalid input.
-+continue
-+else
-+ # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+ break
-+fi
-+
-+ done
-+ ac_cv_prog_CPP=$CPP
-+
-+fi
-+ CPP=$ac_cv_prog_CPP
-+else
-+ ac_cv_prog_CPP=$CPP
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
-+$as_echo "$CPP" >&6; }
-+ac_preproc_ok=false
-+for ac_c_preproc_warn_flag in '' yes
-+do
-+ # Use a header file that comes with gcc, so configuring glibc
-+ # with a fresh cross-compiler works.
-+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+ # <limits.h> exists even on freestanding compilers.
-+ # On the NeXT, cc -E runs the code through the compiler's parser,
-+ # not just through cpp. "Syntax error" is here to catch this case.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+ Syntax error
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+
-+else
-+ # Broken: fails on valid input.
-+continue
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+ # OK, works on sane cases. Now check whether nonexistent headers
-+ # can be detected and how.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <ac_nonexistent.h>
-+_ACEOF
-+if ac_fn_c_try_cpp "$LINENO"; then :
-+ # Broken: success on invalid input.
-+continue
-+else
-+ # Passes both tests.
-+ac_preproc_ok=:
-+break
-+fi
-+rm -f conftest.err conftest.i conftest.$ac_ext
-+
-+done
-+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-+rm -f conftest.i conftest.err conftest.$ac_ext
-+if $ac_preproc_ok; then :
-+
-+else
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-+See \`config.log' for more details" "$LINENO" 5 ; }
-+fi
-+
-+ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
-+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-+if test "${ac_cv_path_GREP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ if test -z "$GREP"; then
-+ ac_path_GREP_found=false
-+ # Loop through the user's path and test for each of PROGNAME-LIST
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+ IFS=$as_save_IFS
-+ test -z "$as_dir" && as_dir=.
-+ for ac_prog in grep ggrep; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
-+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-+# Check for GNU ac_path_GREP and select it if it is found.
-+ # Check for GNU $ac_path_GREP
-+case `"$ac_path_GREP" --version 2>&1` in
-+*GNU*)
-+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
-+*)
-+ ac_count=0
-+ $as_echo_n 0123456789 >"conftest.in"
-+ while :
-+ do
-+ cat "conftest.in" "conftest.in" >"conftest.tmp"
-+ mv "conftest.tmp" "conftest.in"
-+ cp "conftest.in" "conftest.nl"
-+ $as_echo 'GREP' >> "conftest.nl"
-+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+ as_fn_arith $ac_count + 1 && ac_count=$as_val
-+ if test $ac_count -gt ${ac_path_GREP_max-0}; then
-+ # Best one so far, save it but keep looking for a better one
-+ ac_cv_path_GREP="$ac_path_GREP"
-+ ac_path_GREP_max=$ac_count
-+ fi
-+ # 10*(2^10) chars as input seems more than enough
-+ test $ac_count -gt 10 && break
-+ done
-+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+ $ac_path_GREP_found && break 3
-+ done
-+ done
-+ done
-+IFS=$as_save_IFS
-+ if test -z "$ac_cv_path_GREP"; then
-+ as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+ fi
-+else
-+ ac_cv_path_GREP=$GREP
-+fi
-+
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
-+$as_echo "$ac_cv_path_GREP" >&6; }
-+ GREP="$ac_cv_path_GREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
-+$as_echo_n "checking for egrep... " >&6; }
-+if test "${ac_cv_path_EGREP+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
-+ then ac_cv_path_EGREP="$GREP -E"
-+ else
-+ if test -z "$EGREP"; then
-+ ac_path_EGREP_found=false
-+ # Loop through the user's path and test for each of PROGNAME-LIST
-+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-+do
-+ IFS=$as_save_IFS
-+ test -z "$as_dir" && as_dir=.
-+ for ac_prog in egrep; do
-+ for ac_exec_ext in '' $ac_executable_extensions; do
-+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-+# Check for GNU ac_path_EGREP and select it if it is found.
-+ # Check for GNU $ac_path_EGREP
-+case `"$ac_path_EGREP" --version 2>&1` in
-+*GNU*)
-+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
-+*)
-+ ac_count=0
-+ $as_echo_n 0123456789 >"conftest.in"
-+ while :
-+ do
-+ cat "conftest.in" "conftest.in" >"conftest.tmp"
-+ mv "conftest.tmp" "conftest.in"
-+ cp "conftest.in" "conftest.nl"
-+ $as_echo 'EGREP' >> "conftest.nl"
-+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-+ as_fn_arith $ac_count + 1 && ac_count=$as_val
-+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then
-+ # Best one so far, save it but keep looking for a better one
-+ ac_cv_path_EGREP="$ac_path_EGREP"
-+ ac_path_EGREP_max=$ac_count
-+ fi
-+ # 10*(2^10) chars as input seems more than enough
-+ test $ac_count -gt 10 && break
-+ done
-+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-+esac
-+
-+ $ac_path_EGREP_found && break 3
-+ done
-+ done
-+ done
-+IFS=$as_save_IFS
-+ if test -z "$ac_cv_path_EGREP"; then
-+ as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
-+ fi
-+else
-+ ac_cv_path_EGREP=$EGREP
-+fi
-+
-+ fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
-+$as_echo "$ac_cv_path_EGREP" >&6; }
-+ EGREP="$ac_cv_path_EGREP"
-+
-+
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
-+$as_echo_n "checking for ANSI C header files... " >&6; }
-+if test "${ac_cv_header_stdc+set}" = set; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdlib.h>
-+#include <stdarg.h>
-+#include <string.h>
-+#include <float.h>
-+
-+int
-+main ()
-+{
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ ac_cv_header_stdc=yes
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <string.h>
-+
- _ACEOF
--cat confdefs.h >>conftest.$ac_ext
--cat >>conftest.$ac_ext <<_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+ $EGREP "memchr" >/dev/null 2>&1; then :
-+
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <stdlib.h>
-+
-+_ACEOF
-+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-+ $EGREP "free" >/dev/null 2>&1; then :
-+
-+else
-+ ac_cv_header_stdc=no
-+fi
-+rm -f conftest*
-+
-+fi
-+
-+if test $ac_cv_header_stdc = yes; then
-+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-+ if test "$cross_compiling" = yes; then :
-+ :
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
--
--/* Override any GCC internal prototype to avoid an error.
-- Use char because int might match the return type of a GCC
-- builtin and then its argument prototype would still apply. */
--#ifdef __cplusplus
--extern "C"
-+#include <ctype.h>
-+#include <stdlib.h>
-+#if ((' ' & 0x0FF) == 0x020)
-+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-+#else
-+# define ISLOWER(c) \
-+ (('a' <= (c) && (c) <= 'i') \
-+ || ('j' <= (c) && (c) <= 'r') \
-+ || ('s' <= (c) && (c) <= 'z'))
-+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
- #endif
--char exchangeTNCCSMessages ();
-+
-+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
- int
- main ()
- {
--return exchangeTNCCSMessages ();
-- ;
-+ int i;
-+ for (i = 0; i < 256; i++)
-+ if (XOR (islower (i), ISLOWER (i))
-+ || toupper (i) != TOUPPER (i))
-+ return 2;
- return 0;
- }
- _ACEOF
--rm -f conftest.$ac_objext conftest$ac_exeext
--if { (ac_try="$ac_link"
--case "(($ac_try" in
-- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-- *) ac_try_echo=$ac_try;;
--esac
--eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-- (eval "$ac_link") 2>conftest.er1
-- ac_status=$?
-- grep -v '^ *+' conftest.er1 >conftest.err
-- rm -f conftest.er1
-- cat conftest.err >&5
-- echo "$as_me:$LINENO: \$? = $ac_status" >&5
-- (exit $ac_status); } && {
-- test -z "$ac_c_werror_flag" ||
-- test ! -s conftest.err
-- } && test -s conftest$ac_exeext &&
-- $as_test_x conftest$ac_exeext; then
-- ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
-+if ac_fn_c_try_run "$LINENO"; then :
-+
- else
-- echo "$as_me: failed program was:" >&5
--sed 's/^/| /' conftest.$ac_ext >&5
-+ ac_cv_header_stdc=no
-+fi
-+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-+ conftest.$ac_objext conftest.beam conftest.$ac_ext
-+fi
-
-- ac_cv_lib_TNCS_exchangeTNCCSMessages=no
- fi
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
-+$as_echo "$ac_cv_header_stdc" >&6; }
-+if test $ac_cv_header_stdc = yes; then
-+
-+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
-
--rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-- conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS
- fi
--{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
--echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
--if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
-+
-+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-+ inttypes.h stdint.h unistd.h
-+do :
-+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
-+"
-+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
--#define HAVE_LIBTNCS 1
-+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
- _ACEOF
-
-- LIBS="-lTNCS $LIBS"
-+fi
-+
-+done
-+
-+
-+for ac_header in naaeap/naaeap.h
-+do :
-+ ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
-+if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_NAAEAP_NAAEAP_H 1
-+_ACEOF
-
-+else
-+ fail="$fail -Inaaeap.h"
- fi
-
-- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
-- { echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
--echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
-- fail="$fail -lTNCS"
-+done
-+
-+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
-+$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
-+ fail="$fail -Inaaeap.h"
- fi
-
- targetname=rlm_eap_tnc
-@@ -2642,14 +3262,12 @@
-
- if test x"$fail" != x""; then
- if test x"${enable_strict_dependencies}" = x"yes"; then
-- { { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
--echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
- else
-- { echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
--echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
-- { echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
--echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
-+$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
-+$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
- targetname=""
- fi
- fi
-@@ -2658,11 +3276,7 @@
-
-
-
--
-- unset ac_cv_env_LIBS_set
-- unset ac_cv_env_LIBS_value
--
-- ac_config_files="$ac_config_files Makefile"
-+ac_config_files="$ac_config_files Makefile"
-
- cat >confcache <<\_ACEOF
- # This file is a shell script that caches the results of configure
-@@ -2691,12 +3305,13 @@
- case $ac_val in #(
- *${as_nl}*)
- case $ac_var in #(
-- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
--echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
-+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
- esac
- case $ac_var in #(
- _ | IFS | as_nl) ;; #(
-- *) $as_unset $ac_var ;;
-+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-+ *) { eval $ac_var=; unset $ac_var;} ;;
- esac ;;
- esac
- done
-@@ -2704,8 +3319,8 @@
- (set) 2>&1 |
- case $as_nl`(ac_space=' '; set) 2>&1` in #(
- *${as_nl}ac_space=\ *)
-- # `set' does not quote correctly, so add quotes (double-quote
-- # substitution turns \\\\ into \\, and sed turns \\ into \).
-+ # `set' does not quote correctly, so add quotes: double-quote
-+ # substitution turns \\\\ into \\, and sed turns \\ into \.
- sed -n \
- "s/'/'\\\\''/g;
- s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-@@ -2728,12 +3343,12 @@
- if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
- if test -w "$cache_file"; then
- test "x$cache_file" != "x/dev/null" &&
-- { echo "$as_me:$LINENO: updating cache $cache_file" >&5
--echo "$as_me: updating cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
-+$as_echo "$as_me: updating cache $cache_file" >&6;}
- cat confcache >$cache_file
- else
-- { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
--echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
-+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
- fi
- fi
- rm -f confcache
-@@ -2750,6 +3365,12 @@
- # take arguments), then branch to the quote section. Otherwise,
- # look for a macro that doesn't take arguments.
- ac_script='
-+:mline
-+/\\$/{
-+ N
-+ s,\\\n,,
-+ b mline
-+}
- t clear
- :clear
- s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g
-@@ -2776,14 +3397,15 @@
-
- ac_libobjs=
- ac_ltlibobjs=
-+U=
- for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
- # 1. Remove the extension, and $U if already installed.
- ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-- ac_i=`echo "$ac_i" | sed "$ac_script"`
-+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
- # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
- # will be set to the directory where LIBOBJS objects are built.
-- ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-- ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
-+ as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-+ as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
- done
- LIBOBJS=$ac_libobjs
-
-@@ -2792,11 +3414,13 @@
-
-
- : ${CONFIG_STATUS=./config.status}
-+ac_write_fail=0
- ac_clean_files_save=$ac_clean_files
- ac_clean_files="$ac_clean_files $CONFIG_STATUS"
--{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
--echo "$as_me: creating $CONFIG_STATUS" >&6;}
--cat >$CONFIG_STATUS <<_ACEOF
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
-+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
-+as_write_fail=0
-+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
- #! $SHELL
- # Generated by $as_me.
- # Run this file to recreate the current configuration.
-@@ -2806,59 +3430,79 @@
- debug=false
- ac_cs_recheck=false
- ac_cs_silent=false
--SHELL=\${CONFIG_SHELL-$SHELL}
--_ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
--## --------------------- ##
--## M4sh Initialization. ##
--## --------------------- ##
-+SHELL=\${CONFIG_SHELL-$SHELL}
-+export SHELL
-+_ASEOF
-+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
-
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
- NULLCMD=:
-- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
- # is contrary to our usage. Disable this feature.
- alias -g '${1+"$@"}'='"$@"'
- setopt NO_GLOB_SUBST
- else
-- case `(set -o) 2>/dev/null` in
-- *posix*) set -o posix ;;
-+ case `(set -o) 2>/dev/null` in #(
-+ *posix*) :
-+ set -o posix ;; #(
-+ *) :
-+ ;;
- esac
--
- fi
-
-
--
--
--# PATH needs CR
--# Avoid depending upon Character Ranges.
--as_cr_letters='abcdefghijklmnopqrstuvwxyz'
--as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
--as_cr_Letters=$as_cr_letters$as_cr_LETTERS
--as_cr_digits='0123456789'
--as_cr_alnum=$as_cr_Letters$as_cr_digits
--
--# The user is always right.
--if test "${PATH_SEPARATOR+set}" != set; then
-- echo "#! /bin/sh" >conf$$.sh
-- echo "exit 0" >>conf$$.sh
-- chmod +x conf$$.sh
-- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-- PATH_SEPARATOR=';'
-+as_nl='
-+'
-+export as_nl
-+# Printing a long string crashes Solaris 7 /usr/bin/printf.
-+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-+# Prefer a ksh shell builtin over an external printf program on Solaris,
-+# but without wasting forks for bash or zsh.
-+if test -z "$BASH_VERSION$ZSH_VERSION" \
-+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='print -r --'
-+ as_echo_n='print -rn --'
-+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-+ as_echo='printf %s\n'
-+ as_echo_n='printf %s'
-+else
-+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-+ as_echo_n='/usr/ucb/echo -n'
- else
-- PATH_SEPARATOR=:
-+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-+ as_echo_n_body='eval
-+ arg=$1;
-+ case $arg in #(
-+ *"$as_nl"*)
-+ expr "X$arg" : "X\\(.*\\)$as_nl";
-+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-+ esac;
-+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-+ '
-+ export as_echo_n_body
-+ as_echo_n='sh -c $as_echo_n_body as_echo'
- fi
-- rm -f conf$$.sh
-+ export as_echo_body
-+ as_echo='sh -c $as_echo_body as_echo'
- fi
-
--# Support unset when possible.
--if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-- as_unset=unset
--else
-- as_unset=false
-+# The user is always right.
-+if test "${PATH_SEPARATOR+set}" != set; then
-+ PATH_SEPARATOR=:
-+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-+ PATH_SEPARATOR=';'
-+ }
- fi
-
-
-@@ -2867,20 +3511,18 @@
- # there to prevent editors from complaining about space-tab.
- # (If _AS_PATH_WALK were called with IFS unset, it would disable word
- # splitting by setting IFS to empty value.)
--as_nl='
--'
- IFS=" "" $as_nl"
-
- # Find who we are. Look in the path if we contain no directory separator.
--case $0 in
-+case $0 in #((
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
- for as_dir in $PATH
- do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
-- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
--done
-+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-+ done
- IFS=$as_save_IFS
-
- ;;
-@@ -2891,32 +3533,111 @@
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
-- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-- { (exit 1); exit 1; }
-+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-+ exit 1
- fi
-
--# Work around bugs in pre-3.0 UWIN ksh.
--for as_var in ENV MAIL MAILPATH
--do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+# Unset variables that we do not need and which cause bugs (e.g. in
-+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
-+# suppresses any "Segmentation fault" message there. '((' could
-+# trigger a bug in pdksh 5.2.14.
-+for as_var in BASH_ENV ENV MAIL MAILPATH
-+do eval test x\${$as_var+set} = xset \
-+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
- done
- PS1='$ '
- PS2='> '
- PS4='+ '
-
- # NLS nuisances.
--for as_var in \
-- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-- LC_TELEPHONE LC_TIME
--do
-- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-- eval $as_var=C; export $as_var
-- else
-- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-+LC_ALL=C
-+export LC_ALL
-+LANGUAGE=C
-+export LANGUAGE
-+
-+# CDPATH.
-+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-+
-+
-+# as_fn_error STATUS ERROR [LINENO LOG_FD]
-+# ----------------------------------------
-+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
-+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-+# script with STATUS, using 1 if that was 0.
-+as_fn_error ()
-+{
-+ as_status=$1; test $as_status -eq 0 && as_status=1
-+ if test "$4"; then
-+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
- fi
--done
-+ $as_echo "$as_me: error: $2" >&2
-+ as_fn_exit $as_status
-+} # as_fn_error
-+
-+
-+# as_fn_set_status STATUS
-+# -----------------------
-+# Set $? to STATUS, without forking.
-+as_fn_set_status ()
-+{
-+ return $1
-+} # as_fn_set_status
-+
-+# as_fn_exit STATUS
-+# -----------------
-+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
-+as_fn_exit ()
-+{
-+ set +e
-+ as_fn_set_status $1
-+ exit $1
-+} # as_fn_exit
-+
-+# as_fn_unset VAR
-+# ---------------
-+# Portably unset VAR.
-+as_fn_unset ()
-+{
-+ { eval $1=; unset $1;}
-+}
-+as_unset=as_fn_unset
-+# as_fn_append VAR VALUE
-+# ----------------------
-+# Append the text in VALUE to the end of the definition contained in VAR. Take
-+# advantage of any shell optimizations that allow amortized linear growth over
-+# repeated appends, instead of the typical quadratic growth present in naive
-+# implementations.
-+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
-+ eval 'as_fn_append ()
-+ {
-+ eval $1+=\$2
-+ }'
-+else
-+ as_fn_append ()
-+ {
-+ eval $1=\$$1\$2
-+ }
-+fi # as_fn_append
-+
-+# as_fn_arith ARG...
-+# ------------------
-+# Perform arithmetic evaluation on the ARGs, and store the result in the
-+# global $as_val. Take advantage of shells that can avoid forks. The arguments
-+# must be portable across $(()) and expr.
-+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
-+ eval 'as_fn_arith ()
-+ {
-+ as_val=$(( $* ))
-+ }'
-+else
-+ as_fn_arith ()
-+ {
-+ as_val=`expr "$@" || test $? -eq 1`
-+ }
-+fi # as_fn_arith
-+
-
--# Required to use basename.
- if expr a : '\(a\)' >/dev/null 2>&1 &&
- test "X`expr 00001 : '.*\(...\)'`" = X001; then
- as_expr=expr
-@@ -2930,13 +3651,17 @@
- as_basename=false
- fi
-
-+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-+ as_dirname=dirname
-+else
-+ as_dirname=false
-+fi
-
--# Name of the executable.
- as_me=`$as_basename -- "$0" ||
- $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
- X"$0" : 'X\(//\)$' \| \
- X"$0" : 'X\(/\)' \| . 2>/dev/null ||
--echo X/"$0" |
-+$as_echo X/"$0" |
- sed '/^.*\/\([^/][^/]*\)\/*$/{
- s//\1/
- q
-@@ -2951,104 +3676,103 @@
- }
- s/.*/./; q'`
-
--# CDPATH.
--$as_unset CDPATH
--
--
--
-- as_lineno_1=$LINENO
-- as_lineno_2=$LINENO
-- test "x$as_lineno_1" != "x$as_lineno_2" &&
-- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
--
-- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-- # uniformly replaced by the line number. The first 'sed' inserts a
-- # line-number line after each line using $LINENO; the second 'sed'
-- # does the real work. The second script uses 'N' to pair each
-- # line-number line with the line containing $LINENO, and appends
-- # trailing '-' during substitution so that $LINENO is not a special
-- # case at line end.
-- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-- # scripts with optimization help from Paolo Bonzini. Blame Lee
-- # E. McMahon (1931-1989) for sed's syntax. :-)
-- sed -n '
-- p
-- /[$]LINENO/=
-- ' <$as_myself |
-- sed '
-- s/[$]LINENO.*/&-/
-- t lineno
-- b
-- :lineno
-- N
-- :loop
-- s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-- t loop
-- s/-\n.*//
-- ' >$as_me.lineno &&
-- chmod +x "$as_me.lineno" ||
-- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-- { (exit 1); exit 1; }; }
--
-- # Don't try to exec as it changes $[0], causing all sort of problems
-- # (the dirname of $[0] is not the place where we might find the
-- # original and so on. Autoconf is especially sensitive to this).
-- . "./$as_me.lineno"
-- # Exit status is that of the last command.
-- exit
--}
--
--
--if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-- as_dirname=dirname
--else
-- as_dirname=false
--fi
-+# Avoid depending upon Character Ranges.
-+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-+as_cr_digits='0123456789'
-+as_cr_alnum=$as_cr_Letters$as_cr_digits
-
- ECHO_C= ECHO_N= ECHO_T=
--case `echo -n x` in
-+case `echo -n x` in #(((((
- -n*)
-- case `echo 'x\c'` in
-+ case `echo 'xy\c'` in
- *c*) ECHO_T=' ';; # ECHO_T is single tab character.
-- *) ECHO_C='\c';;
-+ xy) ECHO_C='\c';;
-+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
-+ ECHO_T=' ';;
- esac;;
- *)
- ECHO_N='-n';;
- esac
-
--if expr a : '\(a\)' >/dev/null 2>&1 &&
-- test "X`expr 00001 : '.*\(...\)'`" = X001; then
-- as_expr=expr
--else
-- as_expr=false
--fi
--
- rm -f conf$$ conf$$.exe conf$$.file
- if test -d conf$$.dir; then
- rm -f conf$$.dir/conf$$.file
- else
- rm -f conf$$.dir
-- mkdir conf$$.dir
-+ mkdir conf$$.dir 2>/dev/null
- fi
--echo >conf$$.file
--if ln -s conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s='ln -s'
-- # ... but there are two gotchas:
-- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+if (echo >conf$$.file) 2>/dev/null; then
-+ if ln -s conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s='ln -s'
-+ # ... but there are two gotchas:
-+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-+ # In both cases, we have to default to `cp -p'.
-+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-+ as_ln_s='cp -p'
-+ elif ln conf$$.file conf$$ 2>/dev/null; then
-+ as_ln_s=ln
-+ else
- as_ln_s='cp -p'
--elif ln conf$$.file conf$$ 2>/dev/null; then
-- as_ln_s=ln
-+ fi
- else
- as_ln_s='cp -p'
- fi
- rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
- rmdir conf$$.dir 2>/dev/null
-
-+
-+# as_fn_mkdir_p
-+# -------------
-+# Create "$as_dir" as a directory, including parents if necessary.
-+as_fn_mkdir_p ()
-+{
-+
-+ case $as_dir in #(
-+ -*) as_dir=./$as_dir;;
-+ esac
-+ test -d "$as_dir" || eval $as_mkdir_p || {
-+ as_dirs=
-+ while :; do
-+ case $as_dir in #(
-+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-+ *) as_qdir=$as_dir;;
-+ esac
-+ as_dirs="'$as_qdir' $as_dirs"
-+ as_dir=`$as_dirname -- "$as_dir" ||
-+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-+ X"$as_dir" : 'X\(//\)[^/]' \| \
-+ X"$as_dir" : 'X\(//\)$' \| \
-+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-+$as_echo X"$as_dir" |
-+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)[^/].*/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\/\)$/{
-+ s//\1/
-+ q
-+ }
-+ /^X\(\/\).*/{
-+ s//\1/
-+ q
-+ }
-+ s/.*/./; q'`
-+ test -d "$as_dir" && break
-+ done
-+ test -z "$as_dirs" || eval "mkdir $as_dirs"
-+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
-+
-+
-+} # as_fn_mkdir_p
- if mkdir -p . 2>/dev/null; then
-- as_mkdir_p=:
-+ as_mkdir_p='mkdir -p "$as_dir"'
- else
- test -d ./-p && rmdir ./-p
- as_mkdir_p=false
-@@ -3065,12 +3789,12 @@
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
-- test -d "$1/.";
-+ test -d "$1/.";
- else
-- case $1 in
-- -*)set "./$1";;
-+ case $1 in #(
-+ -*)set "./$1";;
- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
-@@ -3085,13 +3809,19 @@
-
-
- exec 6>&1
-+## ----------------------------------- ##
-+## Main body of $CONFIG_STATUS script. ##
-+## ----------------------------------- ##
-+_ASEOF
-+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
-
--# Save the log message, to keep $[0] and so on meaningful, and to
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# Save the log message, to keep $0 and so on meaningful, and to
- # report actual input values of CONFIG_FILES etc. instead of their
- # values after options handling.
- ac_log="
- This file was extended by $as_me, which was
--generated by GNU Autoconf 2.61. Invocation command line was
-+generated by GNU Autoconf 2.67. Invocation command line was
-
- CONFIG_FILES = $CONFIG_FILES
- CONFIG_HEADERS = $CONFIG_HEADERS
-@@ -3104,59 +3834,74 @@
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<_ACEOF
-+case $ac_config_files in *"
-+"*) set x $ac_config_files; shift; ac_config_files=$*;;
-+esac
-+
-+
-+
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- # Files that config.status was made for.
- config_files="$ac_config_files"
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- ac_cs_usage="\
--\`$as_me' instantiates files from templates according to the
--current configuration.
-+\`$as_me' instantiates files and other configuration actions
-+from templates according to the current configuration. Unless the files
-+and actions are specified as TAGs, all are instantiated by default.
-
--Usage: $0 [OPTIONS] [FILE]...
-+Usage: $0 [OPTION]... [TAG]...
-
- -h, --help print this help, then exit
- -V, --version print version number and configuration settings, then exit
-- -q, --quiet do not print progress messages
-+ --config print configuration, then exit
-+ -q, --quiet, --silent
-+ do not print progress messages
- -d, --debug don't remove temporary files
- --recheck update $as_me by reconfiguring in the same conditions
-- --file=FILE[:TEMPLATE]
-- instantiate the configuration file FILE
-+ --file=FILE[:TEMPLATE]
-+ instantiate the configuration file FILE
-
- Configuration files:
- $config_files
-
--Report bugs to <bug-autoconf@gnu.org>."
-+Report bugs to the package provider."
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
- ac_cs_version="\\
- config.status
--configured by $0, generated by GNU Autoconf 2.61,
-- with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-+configured by $0, generated by GNU Autoconf 2.67,
-+ with options \\"\$ac_cs_config\\"
-
--Copyright (C) 2006 Free Software Foundation, Inc.
-+Copyright (C) 2010 Free Software Foundation, Inc.
- This config.status script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it."
-
- ac_pwd='$ac_pwd'
- srcdir='$srcdir'
-+test -n "\$AWK" || AWK=awk
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
--# If no file are specified by the user, then we need to provide default
--# value. By we need to know if files were specified by the user.
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+# The default lists apply if the user does not specify any file.
- ac_need_defaults=:
- while test $# != 0
- do
- case $1 in
-- --*=*)
-+ --*=?*)
- ac_option=`expr "X$1" : 'X\([^=]*\)='`
- ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
- ac_shift=:
- ;;
-+ --*=)
-+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
-+ ac_optarg=
-+ ac_shift=:
-+ ;;
- *)
- ac_option=$1
- ac_optarg=$2
-@@ -3169,25 +3914,30 @@
- -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
- ac_cs_recheck=: ;;
- --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-- echo "$ac_cs_version"; exit ;;
-+ $as_echo "$ac_cs_version"; exit ;;
-+ --config | --confi | --conf | --con | --co | --c )
-+ $as_echo "$ac_cs_config"; exit ;;
- --debug | --debu | --deb | --de | --d | -d )
- debug=: ;;
- --file | --fil | --fi | --f )
- $ac_shift
-- CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-+ case $ac_optarg in
-+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
-+ '') as_fn_error $? "missing file argument" ;;
-+ esac
-+ as_fn_append CONFIG_FILES " '$ac_optarg'"
- ac_need_defaults=false;;
- --he | --h | --help | --hel | -h )
-- echo "$ac_cs_usage"; exit ;;
-+ $as_echo "$ac_cs_usage"; exit ;;
- -q | -quiet | --quiet | --quie | --qui | --qu | --q \
- | -silent | --silent | --silen | --sile | --sil | --si | --s)
- ac_cs_silent=: ;;
-
- # This is an error.
-- -*) { echo "$as_me: error: unrecognized option: $1
--Try \`$0 --help' for more information." >&2
-- { (exit 1); exit 1; }; } ;;
-+ -*) as_fn_error $? "unrecognized option: \`$1'
-+Try \`$0 --help' for more information." ;;
-
-- *) ac_config_targets="$ac_config_targets $1"
-+ *) as_fn_append ac_config_targets " $1"
- ac_need_defaults=false ;;
-
- esac
-@@ -3202,30 +3952,32 @@
- fi
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- if \$ac_cs_recheck; then
-- echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-- CONFIG_SHELL=$SHELL
-+ set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+ shift
-+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
-+ CONFIG_SHELL='$SHELL'
- export CONFIG_SHELL
-- exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+ exec "\$@"
- fi
-
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- exec 5>>config.log
- {
- echo
- sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
- ## Running $as_me. ##
- _ASBOX
-- echo "$ac_log"
-+ $as_echo "$ac_log"
- } >&5
-
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-
- # Handling of arguments.
- for ac_config_target in $ac_config_targets
-@@ -3233,9 +3985,7 @@
- case $ac_config_target in
- "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-
-- *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
--echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-- { (exit 1); exit 1; }; };;
-+ *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
- esac
- done
-
-@@ -3260,7 +4010,7 @@
- trap 'exit_status=$?
- { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
- ' 0
-- trap '{ (exit 1); exit 1; }' 1 2 13 15
-+ trap 'as_fn_exit 1' 1 2 13 15
- }
- # Create a (secure) tmp directory for tmp files.
-
-@@ -3271,145 +4021,177 @@
- {
- tmp=./conf$$-$RANDOM
- (umask 077 && mkdir "$tmp")
--} ||
--{
-- echo "$me: cannot create a temporary directory in ." >&2
-- { (exit 1); exit 1; }
--}
--
--#
--# Set up the sed scripts for CONFIG_FILES section.
--#
-+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
-
--# No need to generate the scripts if there are no CONFIG_FILES.
--# This happens for instance when ./config.status config.h
-+# Set up the scripts for CONFIG_FILES section.
-+# No need to generate them if there are no CONFIG_FILES.
-+# This happens for instance with `./config.status config.h'.
- if test -n "$CONFIG_FILES"; then
-
--_ACEOF
-
-+ac_cr=`echo X | tr X '\015'`
-+# On cygwin, bash can eat \r inside `` if the user requested igncr.
-+# But we know of no other shell where ac_cr would be empty at this
-+# point, so we can use a bashism as a fallback.
-+if test "x$ac_cr" = x; then
-+ eval ac_cr=\$\'\\r\'
-+fi
-+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
-+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-+ ac_cs_awk_cr='\\r'
-+else
-+ ac_cs_awk_cr=$ac_cr
-+fi
-+
-+echo 'BEGIN {' >"$tmp/subs1.awk" &&
-+_ACEOF
-
-
-+{
-+ echo "cat >conf$$subs.awk <<_ACEOF" &&
-+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
-+ echo "_ACEOF"
-+} >conf$$subs.sh ||
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
- ac_delim='%!_!# '
- for ac_last_try in false false false false false :; do
-- cat >conf$$subs.sed <<_ACEOF
--SHELL!$SHELL$ac_delim
--PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
--PACKAGE_NAME!$PACKAGE_NAME$ac_delim
--PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
--PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
--PACKAGE_STRING!$PACKAGE_STRING$ac_delim
--PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
--exec_prefix!$exec_prefix$ac_delim
--prefix!$prefix$ac_delim
--program_transform_name!$program_transform_name$ac_delim
--bindir!$bindir$ac_delim
--sbindir!$sbindir$ac_delim
--libexecdir!$libexecdir$ac_delim
--datarootdir!$datarootdir$ac_delim
--datadir!$datadir$ac_delim
--sysconfdir!$sysconfdir$ac_delim
--sharedstatedir!$sharedstatedir$ac_delim
--localstatedir!$localstatedir$ac_delim
--includedir!$includedir$ac_delim
--oldincludedir!$oldincludedir$ac_delim
--docdir!$docdir$ac_delim
--infodir!$infodir$ac_delim
--htmldir!$htmldir$ac_delim
--dvidir!$dvidir$ac_delim
--pdfdir!$pdfdir$ac_delim
--psdir!$psdir$ac_delim
--libdir!$libdir$ac_delim
--localedir!$localedir$ac_delim
--mandir!$mandir$ac_delim
--DEFS!$DEFS$ac_delim
--ECHO_C!$ECHO_C$ac_delim
--ECHO_N!$ECHO_N$ac_delim
--ECHO_T!$ECHO_T$ac_delim
--LIBS!$LIBS$ac_delim
--build_alias!$build_alias$ac_delim
--host_alias!$host_alias$ac_delim
--target_alias!$target_alias$ac_delim
--CC!$CC$ac_delim
--CFLAGS!$CFLAGS$ac_delim
--LDFLAGS!$LDFLAGS$ac_delim
--CPPFLAGS!$CPPFLAGS$ac_delim
--ac_ct_CC!$ac_ct_CC$ac_delim
--EXEEXT!$EXEEXT$ac_delim
--OBJEXT!$OBJEXT$ac_delim
--eap_tnc_cflags!$eap_tnc_cflags$ac_delim
--eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
--targetname!$targetname$ac_delim
--LIBOBJS!$LIBOBJS$ac_delim
--LTLIBOBJS!$LTLIBOBJS$ac_delim
--_ACEOF
-+ . ./conf$$subs.sh ||
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
-
-- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
-+ ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
-+ if test $ac_delim_n = $ac_delim_num; then
- break
- elif $ac_last_try; then
-- { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
--echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-- { (exit 1); exit 1; }; }
-+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
- else
- ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
- fi
- done
-+rm -f conf$$subs.sh
-
--ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
--if test -n "$ac_eof"; then
-- ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-- ac_eof=`expr $ac_eof + 1`
--fi
--
--cat >>$CONFIG_STATUS <<_ACEOF
--cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
--/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
--_ACEOF
--sed '
--s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
--s/^/s,@/; s/!/@,|#_!!_#|/
--:n
--t n
--s/'"$ac_delim"'$/,g/; t
--s/$/\\/; p
--N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
--' >>$CONFIG_STATUS <conf$$subs.sed
--rm -f conf$$subs.sed
--cat >>$CONFIG_STATUS <<_ACEOF
--:end
--s/|#_!!_#|//g
--CEOF$ac_eof
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
- _ACEOF
-+sed -n '
-+h
-+s/^/S["/; s/!.*/"]=/
-+p
-+g
-+s/^[^!]*!//
-+:repl
-+t repl
-+s/'"$ac_delim"'$//
-+t delim
-+:nl
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more1
-+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
-+p
-+n
-+b repl
-+:more1
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t nl
-+:delim
-+h
-+s/\(.\{148\}\)..*/\1/
-+t more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"/
-+p
-+b
-+:more2
-+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-+p
-+g
-+s/.\{148\}//
-+t delim
-+' <conf$$subs.awk | sed '
-+/^[^""]/{
-+ N
-+ s/\n//
-+}
-+' >>$CONFIG_STATUS || ac_write_fail=1
-+rm -f conf$$subs.awk
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+_ACAWK
-+cat >>"\$tmp/subs1.awk" <<_ACAWK &&
-+ for (key in S) S_is_set[key] = 1
-+ FS = ""
-+
-+}
-+{
-+ line = $ 0
-+ nfields = split(line, field, "@")
-+ substed = 0
-+ len = length(field[1])
-+ for (i = 2; i < nfields; i++) {
-+ key = field[i]
-+ keylen = length(key)
-+ if (S_is_set[key]) {
-+ value = S[key]
-+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
-+ len += length(value) + length(field[++i])
-+ substed = 1
-+ } else
-+ len += 1 + keylen
-+ }
-+
-+ print line
-+}
-
-+_ACAWK
-+_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
-+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
-+else
-+ cat
-+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-+ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
-+_ACEOF
-
--# VPATH may cause trouble with some makes, so we remove $(srcdir),
--# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
-+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
- # trailing colons and then remove the whole line if VPATH becomes empty
- # (actually we leave an empty line to preserve line numbers).
- if test "x$srcdir" = x.; then
-- ac_vpsub='/^[ ]*VPATH[ ]*=/{
--s/:*\$(srcdir):*/:/
--s/:*\${srcdir}:*/:/
--s/:*@srcdir@:*/:/
--s/^\([^=]*=[ ]*\):*/\1/
-+ ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{
-+h
-+s///
-+s/^/:/
-+s/[ ]*$/:/
-+s/:\$(srcdir):/:/g
-+s/:\${srcdir}:/:/g
-+s/:@srcdir@:/:/g
-+s/^:*//
- s/:*$//
-+x
-+s/\(=[ ]*\).*/\1/
-+G
-+s/\n//
- s/^[^=]*=[ ]*$//
- }'
- fi
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- fi # test -n "$CONFIG_FILES"
-
-
--for ac_tag in :F $CONFIG_FILES
-+eval set X " :F $CONFIG_FILES "
-+shift
-+for ac_tag
- do
- case $ac_tag in
- :[FHLC]) ac_mode=$ac_tag; continue;;
- esac
- case $ac_mode$ac_tag in
- :[FHL]*:*);;
-- :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
--echo "$as_me: error: Invalid tag $ac_tag." >&2;}
-- { (exit 1); exit 1; }; };;
-+ :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
- :[FH]-) ac_tag=-:-;;
- :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
- esac
-@@ -3437,26 +4219,34 @@
- [\\/$]*) false;;
- *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
- esac ||
-- { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
--echo "$as_me: error: cannot find input file: $ac_f" >&2;}
-- { (exit 1); exit 1; }; };;
-+ as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
- esac
-- ac_file_inputs="$ac_file_inputs $ac_f"
-+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
-+ as_fn_append ac_file_inputs " '$ac_f'"
- done
-
- # Let's still pretend it is `configure' which instantiates (i.e., don't
- # use $as_me), people would be surprised to read:
- # /* config.h. Generated by config.status. */
-- configure_input="Generated from "`IFS=:
-- echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
-+ configure_input='Generated from '`
-+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
-+ `' by configure.'
- if test x"$ac_file" != x-; then
- configure_input="$ac_file. $configure_input"
-- { echo "$as_me:$LINENO: creating $ac_file" >&5
--echo "$as_me: creating $ac_file" >&6;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
-+$as_echo "$as_me: creating $ac_file" >&6;}
- fi
-+ # Neutralize special characters interpreted by sed in replacement strings.
-+ case $configure_input in #(
-+ *\&* | *\|* | *\\* )
-+ ac_sed_conf_input=`$as_echo "$configure_input" |
-+ sed 's/[\\\\&|]/\\\\&/g'`;; #(
-+ *) ac_sed_conf_input=$configure_input;;
-+ esac
-
- case $ac_tag in
-- *:-:* | *:-) cat >"$tmp/stdin";;
-+ *:-:* | *:-) cat >"$tmp/stdin" \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
- esac
- ;;
- esac
-@@ -3466,42 +4256,7 @@
- X"$ac_file" : 'X\(//\)[^/]' \| \
- X"$ac_file" : 'X\(//\)$' \| \
- X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$ac_file" |
-- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-- s//\1/
-- q
-- }
-- /^X\(\/\/\)[^/].*/{
-- s//\1/
-- q
-- }
-- /^X\(\/\/\)$/{
-- s//\1/
-- q
-- }
-- /^X\(\/\).*/{
-- s//\1/
-- q
-- }
-- s/.*/./; q'`
-- { as_dir="$ac_dir"
-- case $as_dir in #(
-- -*) as_dir=./$as_dir;;
-- esac
-- test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-- as_dirs=
-- while :; do
-- case $as_dir in #(
-- *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-- *) as_qdir=$as_dir;;
-- esac
-- as_dirs="'$as_qdir' $as_dirs"
-- as_dir=`$as_dirname -- "$as_dir" ||
--$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-- X"$as_dir" : 'X\(//\)[^/]' \| \
-- X"$as_dir" : 'X\(//\)$' \| \
-- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
--echo X"$as_dir" |
-+$as_echo X"$ac_file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
-@@ -3519,20 +4274,15 @@
- q
- }
- s/.*/./; q'`
-- test -d "$as_dir" && break
-- done
-- test -z "$as_dirs" || eval "mkdir $as_dirs"
-- } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
--echo "$as_me: error: cannot create directory $as_dir" >&2;}
-- { (exit 1); exit 1; }; }; }
-+ as_dir="$ac_dir"; as_fn_mkdir_p
- ac_builddir=.
-
- case "$ac_dir" in
- .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *)
-- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
- # A ".." for each directory in $ac_dir_suffix.
-- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
- case $ac_top_builddir_sub in
- "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-@@ -3568,12 +4318,12 @@
-
- _ACEOF
-
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- # If the template does not know about datarootdir, expand it.
- # FIXME: This hack should be removed a few years after 2.60.
- ac_datarootdir_hack=; ac_datarootdir_seen=
--
--case `sed -n '/datarootdir/ {
-+ac_sed_dataroot='
-+/datarootdir/ {
- p
- q
- }
-@@ -3581,36 +4331,37 @@
- /@docdir@/p
- /@infodir@/p
- /@localedir@/p
--/@mandir@/p
--' $ac_file_inputs` in
-+/@mandir@/p'
-+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
- *datarootdir*) ac_datarootdir_seen=yes;;
- *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-- { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
--echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
- _ACEOF
--cat >>$CONFIG_STATUS <<_ACEOF
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- ac_datarootdir_hack='
- s&@datadir@&$datadir&g
- s&@docdir@&$docdir&g
- s&@infodir@&$infodir&g
- s&@localedir@&$localedir&g
- s&@mandir@&$mandir&g
-- s&\\\${datarootdir}&$datarootdir&g' ;;
-+ s&\\\${datarootdir}&$datarootdir&g' ;;
- esac
- _ACEOF
-
- # Neutralize VPATH when `$srcdir' = `.'.
- # Shell code in configure.ac might set extrasub.
- # FIXME: do we really want to maintain this feature?
--cat >>$CONFIG_STATUS <<_ACEOF
-- sed "$ac_vpsub
-+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-+ac_sed_extra="$ac_vpsub
- $extrasub
- _ACEOF
--cat >>$CONFIG_STATUS <<\_ACEOF
-+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
- :t
- /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
--s&@configure_input@&$configure_input&;t t
-+s|@configure_input@|$ac_sed_conf_input|;t t
- s&@top_builddir@&$ac_top_builddir_sub&;t t
-+s&@top_build_prefix@&$ac_top_build_prefix&;t t
- s&@srcdir@&$ac_srcdir&;t t
- s&@abs_srcdir@&$ac_abs_srcdir&;t t
- s&@top_srcdir@&$ac_top_srcdir&;t t
-@@ -3619,21 +4370,24 @@
- s&@abs_builddir@&$ac_abs_builddir&;t t
- s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
- $ac_datarootdir_hack
--" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
-+"
-+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
-
- test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
- { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
- { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-- { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined. Please make sure it is defined." >&5
--echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
--which seems to be undefined. Please make sure it is defined." >&2;}
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined. Please make sure it is defined" >&5
-+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-+which seems to be undefined. Please make sure it is defined" >&2;}
-
- rm -f "$tmp/stdin"
- case $ac_file in
-- -) cat "$tmp/out"; rm -f "$tmp/out";;
-- *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
-- esac
-+ -) cat "$tmp/out" && rm -f "$tmp/out";;
-+ *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
-+ esac \
-+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
- ;;
-
-
-@@ -3643,11 +4397,13 @@
- done # for ac_tag
-
-
--{ (exit 0); exit 0; }
-+as_fn_exit 0
- _ACEOF
--chmod +x $CONFIG_STATUS
- ac_clean_files=$ac_clean_files_save
-
-+test $ac_write_fail = 0 ||
-+ as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
-+
-
- # configure is writing to config.log, and then calls config.status.
- # config.status does its own redirection, appending to config.log.
-@@ -3667,7 +4423,10 @@
- exec 5>>config.log
- # Use ||, not &&, to avoid exiting from the if with $? = 1, which
- # would make configure fail if this is the last instruction.
-- $ac_cs_success || { (exit 1); exit 1; }
-+ $ac_cs_success || as_fn_exit 1
-+fi
-+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
-+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
- fi
--
-
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-12-04 19:38:00.241420966 +0100
-@@ -2,12 +2,21 @@
- AC_REVISION($Revision$)
- AC_DEFUN(modname,[rlm_eap_tnc])
-
-+eap_tnc_cflags=
-+eap_tnc_ldflags=-lnaaeap
-+
- if test x$with_[]modname != xno; then
-
-- AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
-- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
-- AC_MSG_WARN([the TNCS library isn't found!])
-- fail="$fail -lTNCS"
-+ AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
-+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
-+ AC_MSG_WARN([the NAAEAP library was not found!])
-+ fail="$fail -lNAAEAP"
-+ fi
-+
-+ AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
-+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
-+ AC_MSG_WARN([the naaeap header was not found!])
-+ fail="$fail -Inaaeap.h"
- fi
-
- targetname=modname
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
- * eap_tnc.c EAP TNC functionality.
- *
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -23,230 +23,41 @@
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
- *
- */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $")
--
--
--/*
-- *
-- * MD5 Packet Format in EAP Type-Data
-- * --- ------ ------ -- --- ---------
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Value-Size | Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- *
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Flags |Ver | Data Length ...
-- * |L M S R R|=1 |
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |... | Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
-- *
-- */
--
- #include <stdio.h>
- #include <stdlib.h>
- #include "eap.h"
-
- #include "eap_tnc.h"
-
-- /*
-- * WTF is wrong with htonl ?
-- */
--static uint32_t ByteSwap2 (uint32_t nLongNumber)
--{
-- return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
-- ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
--}
--
- /*
-- * Allocate a new TNC_PACKET
-+ * Forms an EAP_REQUEST packet from the EAP_TNC specific data.
- */
--TNC_PACKET *eaptnc_alloc(void)
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
- {
-- TNC_PACKET *rp;
--
-- if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return NULL;
-+ // check parameters
-+ if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
-+ return 0;
- }
-- memset(rp, 0, sizeof(TNC_PACKET));
-- return rp;
--}
--
--/*
-- * Free TNC_PACKET
-- */
--void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
--{
-- TNC_PACKET *tnc_packet;
--
-- if (!tnc_packet_ptr) return;
-- tnc_packet = *tnc_packet_ptr;
-- if (tnc_packet == NULL) return;
--
-- if (tnc_packet->data) free(tnc_packet->data);
-
-- free(tnc_packet);
--
-- *tnc_packet_ptr = NULL;
--}
--
--/*
-- * We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
-- */
--TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
--{
-- tnc_packet_t *data;
-- TNC_PACKET *packet;
-- /*
-- * We need a response, of type EAP-TNC
-- */
-- if (!eap_ds ||
-- !eap_ds->response ||
-- (eap_ds->response->code != PW_TNC_RESPONSE) ||
-- eap_ds->response->type.type != PW_EAP_TNC ||
-- !eap_ds->response->type.data ||
-- (eap_ds->response->length <= TNC_HEADER_LEN) ||
-- (eap_ds->response->type.data[0] <= 0)) {
-- radlog(L_ERR, "rlm_eap_tnc: corrupted data");
-- return NULL;
-+ // further check parameters
-+ if(handler->opaque == NULL || handler->eap_ds == NULL){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
-+ return 0;
- }
-- packet = eaptnc_alloc();
-- if (!packet) return NULL;
--
-
-- packet->code = eap_ds->response->code;
-- packet->id = eap_ds->response->id;
-- packet->length = eap_ds->response->length;
--
-- data = (tnc_packet_t *)eap_ds->response->type.data;
-- /*
-- * Already checked the size above.
-- */
-- packet->flags_ver = data->flags_ver;
-- unsigned char *ptr = (unsigned char*)data;
--
--
-- DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
-- int thisDataLength;
-- int dataStart;
-- if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
-- DEBUG2("data_length included\n");
--// memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
-- //packet->data_length = data->data_length;
-- memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
-- DEBUG2("data_length: %x\n", packet->data_length);
-- DEBUG2("data_length: %d\n", packet->data_length);
-- DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
-- DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
-- packet->data_length = ByteSwap2(packet->data_length);
-- thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
-- dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
-- }else{
-- DEBUG2("no data_length included\n");
-- thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- packet->data_length = 0;
-- dataStart = TNC_FLAGS_VERSION_LENGTH;
--
-- }
-- /*
-- * Allocate room for the data, and copy over the data.
-- */
-- packet->data = malloc(thisDataLength);
-- if (packet->data == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- eaptnc_free(&packet);
-- return NULL;
-+ if(handler->eap_ds->request == NULL){
-+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
-+ return 0;
- }
--
-- memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
--
-- return packet;
--}
-
--
--/*
-- * Compose the portions of the reply packet specific to the
-- * EAP-TNC protocol, in the EAP reply typedata
-- */
--int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
--{
-- uint8_t *ptr;
--
--
-- if (reply->code < 3) {
-- //fill: EAP-Type (0x888e)
-- eap_ds->request->type.type = PW_EAP_TNC;
-- DEBUG2("TYPE: EAP-TNC set\n");
-- rad_assert(reply->length > 0);
--
-- //alloc enough space for whole TNC-Packet (from Code on)
-- eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
-- DEBUG2("Malloc %d bytes for packet\n", reply->length);
-- if (eap_ds->request->type.data == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return 0;
-- }
-- //put pointer at position where data starts (behind Type)
-- ptr = eap_ds->request->type.data;
-- //*ptr = (uint8_t)(reply->data_length & 0xFF);
--
-- //ptr++;
-- *ptr = reply->flags_ver;
-- DEBUG2("Set Flags/Version: %d\n", *ptr);
-- if(reply->data_length!=0){
-- DEBUG2("Set data-length: %d\n", reply->data_length);
-- ptr++; //move to start-position of "data_length"
-- DEBUG2("Set data-length: %x\n", reply->data_length);
-- DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
-- unsigned long swappedDataLength = ByteSwap2(reply->data_length);
-- //DEBUG2("DATA-length: %d", reply->data_
-- memcpy(ptr, &swappedDataLength, 4);
-- //*ptr = swappedDataLength;
-- }
-- uint16_t thisDataLength=0;
-- if(reply->data!=NULL){
-- DEBUG2("Adding TNCCS-Data ");
-- int offset;
-- //if data_length-Field present
-- if(reply->data_length !=0){
-- DEBUG2("with Fragmentation\n");
-- offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
-- thisDataLength = reply->length-TNC_PACKET_LENGTH;
-- }else{ //data_length-Field not present
-- DEBUG2("without Fragmentation\n");
-- offset = 1;
-- thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }
-- DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
-- ptr=ptr+offset; //move to start-position of "data"
-- memcpy(ptr,reply->data, thisDataLength);
-- }else{
-- DEBUG2("No TNCCS-Data present");
-- }
--
-- //the length of the TNC-packet (behind Type)
-- if(reply->data_length!=0){
-- eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
-- }else{
-- eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
-- }
-- DEBUG2("Packet built\n");
--
-- } else {
-- eap_ds->request->type.length = 0;
-- }
-- eap_ds->request->code = reply->code;
-+ // fill EAP data to handler
-+ handler->eap_ds->request->code = code;
-+ handler->eap_ds->request->type.type = PW_EAP_TNC;
-+ // fill EAP TYPE specific data to handler
-+ handler->eap_ds->request->type.length = length;
-+ free(handler->eap_ds->request->type.data);
-+ handler->eap_ds->request->type.data = request;
-
- return 1;
- }
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-12-04 19:38:00.241420966 +0100
-@@ -1,10 +1,10 @@
- /*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -26,105 +26,20 @@
- #define _EAP_TNC_H
-
- #include "eap.h"
-+#include <naaeap/naaeap.h>
-
--#define PW_TNC_REQUEST 1
--#define PW_TNC_RESPONSE 2
--#define PW_TNC_SUCCESS 3
--#define PW_TNC_FAILURE 4
--#define PW_TNC_MAX_CODES 4
--
--#define TNC_HEADER_LEN 4
--#define TNC_CHALLENGE_LEN 16
--#define TNC_START_LEN 8
--
--#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
--#define TNC_PACKET_LENGTH 10
--#define TNC_DATA_LENGTH_LENGTH 4
--#define TNC_FLAGS_VERSION_LENGTH 1
--
--typedef unsigned int VlanAccessMode;
--
--#define VLAN_ISOLATE 97
--#define VLAN_ACCESS 2
--/*
-- ****
-- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
-- * for generalization purpose, complete header should be sent
-- * and not just value_size, value and name.
-- * future implementation.
-- *
-- * Huh? What does that mean?
-- */
-+#define SET_START(x) ((x) | (0x20))
-
--/*
-+/**
-+ * Composes the EAP packet.
- *
-- * MD5 Packet Format in EAP Type-Data
-- * --- ------ ------ -- --- ---------
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Value-Size | Value ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Name ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- *
-- * EAP-TNC Packet Format in EAP Type-Data
-- *
-- * 0 1 2 3
-- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * | Flags |Ver | Data Length ...
-- * |L M S R R|=1 |
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-- * |... | Data ...
-- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
-+ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
-+ * @param request The EAP_TNC packet received from NAA-TNCS
-+ * @param length The length of the EAP_TNC packet received from NAA-TNCS
-+ * @param code EAP_CODE for the request
- *
-+ * @return True if operation was successful, otherwise false.
- */
--
--/* eap packet structure */
--typedef struct tnc_packet_t {
--/*
-- uint8_t code;
-- uint8_t id;
-- uint16_t length;
--*/
-- uint8_t flags_ver;
-- uint32_t data_length;
-- uint8_t *data;
--} tnc_packet_t;
--
--typedef struct tnc_packet {
-- uint8_t code;
-- uint8_t id;
-- uint16_t length;
-- uint8_t flags_ver;
-- uint32_t data_length;
-- uint8_t *data;
--} TNC_PACKET;
--
--#define TNC_START(x) (((x) & 0x20) != 0)
--#define TNC_MORE_FRAGMENTS(x) (((x) & 0x40) != 0)
--#define TNC_LENGTH_INCLUDED(x) (((x) & 0x80) != 0)
--#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
--#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
--
--#define SET_START(x) ((x) | (0x20))
--#define SET_MORE_FRAGMENTS(x) ((x) | (0x40))
--#define SET_LENGTH_INCLUDED(x) ((x) | (0x80))
--
--
--/* function declarations here */
--
--TNC_PACKET *eaptnc_alloc(void);
--void eaptnc_free(TNC_PACKET **tnc_packet_ptr);
--
--int eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
--TNC_PACKET *eaptnc_extract(EAP_DS *auth);
--int eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
--
--
--
--
-+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
-
- #endif /*_EAP_TNC_H*/
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-12-04 19:38:49.277421870 +0100
-@@ -3,8 +3,8 @@
- #
-
- TARGET = @targetname@
--SRCS = rlm_eap_tnc.c eap_tnc.c tncs_connect.c
--HEADERS = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
-+SRCS = rlm_eap_tnc.c eap_tnc.c
-+HEADERS = eap_tnc.h ../../eap.h ../../rlm_eap.h
- RLM_CFLAGS = -I../.. -I../../libeap @eap_tnc_cflags@
- RLM_LIBS = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la
- RLM_INSTALL =
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-12-04 19:38:00.241420966 +0100
-@@ -1,12 +1,12 @@
- /*
- * rlm_eap_tnc.c Handles that are called from eap
- *
-- * This software is Copyright (C) 2006,2007 FH Hannover
-+ * This software is Copyright (C) 2006-2009 FH Hannover
- *
- * Portions of this code unrelated to FreeRADIUS are available
- * separately under a commercial license. If you require an
- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-+ * contact trust@f4-i.fh-hannover.de for details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -26,96 +26,262 @@
- * Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
- */
-
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $")
-+/*
-+ * EAP-TNC Packet with EAP Header, general structure
-+ *
-+ * 0 1 2 3
-+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Code | Identifier | Length |
-+ * | | | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Type | Flags | Ver | Data Length |
-+ * | |L M S R R| =1 | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Data Length | Data ...
-+ * | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ */
-
- #include <freeradius-devel/autoconf.h>
-
- #include <stdio.h>
- #include <stdlib.h>
-
--#include "tncs_connect.h"
- #include "eap_tnc.h"
--#include "tncs.h"
-+#include <naaeap/naaeap.h>
- #include <freeradius-devel/rad_assert.h>
-+//#include <freeradius-devel/libradius.h>
-
--typedef struct rlm_eap_tnc_t {
-- char *vlan_access;
-- char *vlan_isolate;
-- char *tnc_path;
--} rlm_eap_tnc_t;
-+#include <netinet/in.h>
-
--static int sessionCounter=0;
-+/**
-+ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
-+ * The maximum length of the calculated string is 70 (not including the trailing '\0').
-+ *
-+ * @return the number of bytes written to out (not including the trailing '\0')
-+ */
-+static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
-+{
-+ VALUE_PAIR *vp = NULL;
-+ uint32_t nas_port = 0;
-+ uint32_t nas_ip = 0;
-+ uint32_t nas_port_type = 0;
-+
-+ char out_nas_port[11];
-+ char out_nas_ip_byte_0[4];
-+ char out_nas_ip_byte_1[4];
-+ char out_nas_ip_byte_2[4];
-+ char out_nas_ip_byte_3[4];
-+ char out_nas_port_type[11];
-+
-+ // check for NULL
-+ if (radius_packet == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
-+ return 0;
-+ }
-+
-+ // read NAS port, ip and port type
-+ for (vp = radius_packet->vps; vp; vp=vp->next) {
-+ switch (vp->attribute) {
-+ case PW_NAS_PORT:
-+ nas_port = vp->vp_integer;
-+ DEBUG("NAS scr port = %u\n", nas_port);
-+ break;
-+ case PW_NAS_IP_ADDRESS:
-+ nas_ip = vp->vp_ipaddr;
-+ DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
-+ break;
-+ case PW_NAS_PORT_TYPE:
-+ nas_port_type = vp->vp_integer;
-+ DEBUG("NAS scr port type = %u\n", nas_port_type);
-+ break;
-+ }
-+ }
-+
-+ snprintf(out_nas_port, 11, "%u", nas_port);
-+ snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
-+ snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
-+ snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
-+ snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
-+ snprintf(out_nas_port_type, 11, "%u", nas_port_type);
-+
-+ return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS attach this module.
-+ */
-+static int tnc_attach(CONF_SECTION *conf, void **type_data)
-+{
-+ // initialize NAA-EAP
-+ DEBUG2("TNC-ATTACH initializing NAA-EAP");
-+ TNC_Result result = initializeDefault();
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
-+ return -1;
-+ }
-+ return 0;
-+}
-+
-+/*
-+ * This function is called when the FreeRADIUS detach this module.
-+ */
-+static int tnc_detach(void *args)
-+{
-+ // terminate NAA-EAP
-+ DEBUG2("TNC-TERMINATE terminating NAA-EAP");
-+ TNC_Result result = terminate();
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
-+ return -1;
-+ }
-+ return 0;
-+}
-
- /*
-- * Initiate the EAP-MD5 session by sending a challenge to the peer.
-- * Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set
-- * and with no data
-+ * This function is called when the first EAP_IDENTITY_RESPONSE message
-+ * was received.
-+ *
-+ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
-+ * to the peer. The packet has the Start-Bit set and contains no data.
-+ *
-+ * 0 1 2 3
-+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Code | Identifier | Length |
-+ * | | | |
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ * | Type | Flags | Ver |
-+ * | |0 0 1 0 0|0 0 1|
-+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+ *
-+ * For this package, only 'Identifier' has to be set dynamically. Any
-+ * other information is static.
- */
- static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
- {
-- uint8_t flags_ver = 1; //set version to 1
-- rlm_eap_tnc_t *inst = type_data;
-- TNC_PACKET *reply;
-+ size_t buflen = 71;
-+ size_t ret = 0;
-+ char buf[buflen];
-+ REQUEST * request = NULL;
-+ TNC_Result result;
-+ TNC_ConnectionID conID;
-+ TNC_BufferReference username;
-
-+ // check if we run inside a secure EAP method.
-+ // FIXME check concrete outer EAP method
- if (!handler->request || !handler->request->parent) {
-- DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
-+ DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
-+ request = handler->request;
- return 0;
-+ } else {
-+ request = handler->request->parent;
- }
-
-- /*
-- * FIXME: Update this when the TTLS and PEAP methods can
-- * run EAP-TLC *after* the user has been authenticated.
-- * This likely means moving the phase2 handlers to a
-- * common code base.
-- */
-- if (1) {
-- DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
-+ if (request->packet == NULL) {
-+ DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
- return 0;
- }
-
- DEBUG("tnc_initiate: %ld", handler->timestamp);
-
-- if(connectToTncs(inst->tnc_path)==-1){
-- DEBUG("Could not connect to TNCS");
-+ //calculate connectionString
-+ ret = calculateConnectionString(request->packet, buf, buflen);
-+ if(ret == 0){
-+ radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
-+ return 0;
- }
-
-+ DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
-+
- /*
-- * Allocate an EAP-MD5 packet.
-+ * get connection
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
- */
-- reply = eaptnc_alloc();
-- if (reply == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-+ result = getConnection(buf, &conID);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
- return 0;
- }
-
- /*
-- * Fill it with data.
-+ * tries to get the username from FreeRADIUS;
-+ * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
- */
-- reply->code = PW_TNC_REQUEST;
-- flags_ver = SET_START(flags_ver); //set start-flag
-- DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
-- reply->flags_ver = flags_ver;
-- reply->length = 1+1; /* one byte of flags_ver */
-+ VALUE_PAIR *usernameValuePair;
-+ usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
-
-+ VALUE_PAIR *eapMessageValuePair;
-+ if (!usernameValuePair) {
-+ eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
-+
-+ if (eapMessageValuePair &&
-+ (eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
-+ (eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
-+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
-+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
-+
-+ /*
-+ * Create & remember a User-Name
-+ */
-+ usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
-+ rad_assert(usernameValuePair != NULL);
-+
-+ memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
-+ eapMessageValuePair->length - 5);
-+ usernameValuePair->length = eapMessageValuePair->length - 5;
-+ usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
-+ }
-+ }
-+
-+ username = malloc(usernameValuePair->length + 1);
-+ memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
-+ username[usernameValuePair->length] = '\0';
-+
-+ RDEBUG("Username for current TNC connection: %s", username);
-+
-+ /*
-+ * stores the username of this connection
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
-+ */
-+ result = storeUsername(conID, username, usernameValuePair->length);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
-+ return 0;
-+ }
-+
-+ // set connection ID in FreeRADIUS
-+ handler->opaque = malloc(sizeof(TNC_ConnectionID));
-+ memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
-+
-+ // build first EAP TNC request
-+ TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
-+ if (eap_tnc_request == NULL) {
-+ radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
-+ return 0;
-+ }
-+ *eap_tnc_request = SET_START(1);
-+ TNC_UInt32 eap_tnc_length = 1;
-+ type_data = type_data; /* suppress -Wunused */
-
- /*
- * Compose the EAP-TNC packet out of the data structure,
- * and free it.
- */
-- eaptnc_compose(handler->eap_ds, reply);
-- eaptnc_free(&reply);
-+ eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
-
-- //put sessionAttribute to Handler and increase sessionCounter
-- handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
-- if (handler->opaque == NULL) {
-- radlog(L_ERR, "rlm_eap_tnc: out of memory");
-- return 0;
-- }
-- handler->free_opaque = free;
-- memcpy(handler->opaque, &sessionCounter, sizeof(int));
-- sessionCounter++;
--
- /*
- * We don't need to authorize the user at this point.
- *
-@@ -124,246 +290,114 @@
- * to us...
- */
- handler->stage = AUTHENTICATE;
--
-- return 1;
--}
-
--static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
-- VlanAccessMode mode){
-- VALUE_PAIR *vp;
-- char *vlanNumber = NULL;
-- switch(mode){
-- case VLAN_ISOLATE:
-- vlanNumber = inst->vlan_isolate;
-- vp = pairfind(handler->request->config_items,
-- PW_TNC_VLAN_ISOLATE);
-- if (vp) vlanNumber = vp->vp_strvalue;
-- break;
-- case VLAN_ACCESS:
-- vlanNumber = inst->vlan_access;
-- vp = pairfind(handler->request->config_items,
-- PW_TNC_VLAN_ACCESS);
-- if (vp) vlanNumber = vp->vp_strvalue;
-- break;
--
-- default:
-- DEBUG2(" rlm_eap_tnc: Internal error. Not setting vlan number");
-- return;
-- }
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Type", "VLAN", T_OP_SET));
--
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
--
-- pairadd(&handler->request->reply->vps,
-- pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
--
-+ return 1;
- }
-
--/*
-- * Authenticate a previously sent challenge.
-+/**
-+ * This function is called when a EAP_TNC_RESPONSE was received.
-+ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
-+ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
-+ * based on the TNC_ConnectionState determined by NAA-TNCS.
-+ *
-+ * @param type_arg The configuration data
-+ * @param handler The EAP_HANDLER
-+ * @return True, if successfully, else false.
- */
--static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
--{
-- TNC_PACKET *packet;
-- TNC_PACKET *reply;
-- TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
-- TNC_ConnectionState state;
-- rlm_eap_tnc_t *inst = type_arg;
-- int isAcknowledgement = 0;
-- TNC_UInt32 tnccsMsgLength = 0;
-- int isLengthIncluded;
-- int moreFragments;
-- TNC_UInt32 overallLength;
-- TNC_BufferReference outMessage;
-- TNC_UInt32 outMessageLength = 2;
-- int outIsLengthIncluded=0;
-- int outMoreFragments=0;
-- TNC_UInt32 outOverallLength=0;
-+static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
-
-- DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
-- DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
-+ rad_assert(handler->request != NULL); // check that request has been sent previously
-+ rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
-
-- /*
-- * Get the User-Password for this user.
-- */
-- rad_assert(handler->request != NULL);
-- rad_assert(handler->stage == AUTHENTICATE);
--
-- /*
-- * Extract the EAP-TNC packet.
-- */
-- if (!(packet = eaptnc_extract(handler->eap_ds)))
-+ if (handler == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
- return 0;
-+ }
-+ if (handler->eap_ds == NULL) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
-+ return 0;
-+ }
-+ if (handler->eap_ds->response == NULL) {
-+ radlog(
-+ L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
-+ return 0;
-+ }
-+ if (handler->eap_ds->response->type.type != PW_EAP_TNC
-+ || handler->eap_ds->response->type.length < 1
-+ || handler->eap_ds->response->type.data == NULL) {
-+ radlog(
-+ L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
-+ handler->eap_ds->response->type.type,
-+ handler->eap_ds->response->type.length,
-+ handler->eap_ds->response->type.data);
-+ return 0;
-+ }
-
-- /*
-- * Create a reply, and initialize it.
-- */
-- reply = eaptnc_alloc();
-- if (!reply) {
-- eaptnc_free(&packet);
-- return 0;
-- }
--
-- reply->id = handler->eap_ds->request->id;
-- reply->length = 0;
-- if(packet->data_length==0){
-- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }else{
-- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
-- }
-- isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
-- moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
-- overallLength = packet->data_length;
-- if(isLengthIncluded == 0
-- && moreFragments == 0
-- && overallLength == 0
-- && tnccsMsgLength == 0
-- && TNC_START(packet->flags_ver)==0){
--
-- isAcknowledgement = 1;
-- }
--
-- DEBUG("Data received: (%d)", (int) tnccsMsgLength);
--/* int i;
-- for(i=0;i<tnccsMsgLength;i++){
-- DEBUG2("%c", (packet->data)[i]);
-- }
-- DEBUG2("\n");
-- */
-- state = exchangeTNCCSMessages(inst->tnc_path,
-- connId,
-- isAcknowledgement,
-- packet->data,
-- tnccsMsgLength,
-- isLengthIncluded,
-- moreFragments,
-- overallLength,
-- &outMessage,
-- &outMessageLength,
-- &outIsLengthIncluded,
-- &outMoreFragments,
-- &outOverallLength);
-- DEBUG("GOT State %08x from TNCS", (unsigned int) state);
-- if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
-- reply->code = PW_TNC_REQUEST;
-- reply->data = NULL;
-- reply->data_length = 0;
-- reply->flags_ver = 1;
-- reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
-- }else{ //send back normal message
-- DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
--
-- /* for(i=0;i<outMessageLength;i++){
-- DEBUG2("%c", outMessage[i]);
-- }
-- DEBUG2("\n");
-- */
-- DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d",
-- outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
-- DEBUG("NEW STATE: %08x", (unsigned int) state);
-- switch(state){
-- case TNC_CONNECTION_STATE_HANDSHAKE:
-- reply->code = PW_TNC_REQUEST;
-- DEBUG2("Set Reply->Code to EAP-REQUEST\n");
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-- reply->code = PW_TNC_SUCCESS;
-- setVlanAttribute(inst, handler,VLAN_ACCESS);
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_NONE:
-- reply->code = PW_TNC_FAILURE;
-- //setVlanAttribute(inst, handler, VLAN_ISOLATE);
-- break;
-- case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-- reply->code = PW_TNC_SUCCESS;
-- setVlanAttribute(inst, handler, VLAN_ISOLATE);
-- break;
-- default:
-- reply->code= PW_TNC_FAILURE;
--
-- }
-- if(outMessage!=NULL && outMessageLength!=0){
-- reply->data = outMessage;
-- }
-- reply->flags_ver = 1;
-- if(outIsLengthIncluded){
-- reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
-- reply->data_length = outOverallLength;
-- reply->length = TNC_PACKET_LENGTH + outMessageLength;
-- DEBUG("SET LENGTH: %d", reply->length);
-- DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
-- }else{
-- reply->data_length = 0;
-- reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;
-- DEBUG("SET LENGTH: %d", reply->length);
-- }
-- if(outMoreFragments){
-- reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
-- }
-- }
--
-- /*
-- * Compose the EAP-MD5 packet out of the data structure,
-- * and free it.
-- */
-- eaptnc_compose(handler->eap_ds, reply);
-- eaptnc_free(&reply);
--
-- handler->stage = AUTHENTICATE;
--
-- eaptnc_free(&packet);
-- return 1;
--}
--
--/*
-- * Detach the EAP-TNC module.
-- */
--static int tnc_detach(void *arg)
--{
-- free(arg);
-- return 0;
--}
--
--
--static CONF_PARSER module_config[] = {
-- { "vlan_access", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
-- { "vlan_isolate", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
-- { "tnc_path", PW_TYPE_STRING_PTR,
-- offsetof(rlm_eap_tnc_t, tnc_path), NULL,
-- "/usr/local/lib/libTNCS.so"},
-+ // get connection ID
-+ TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
-
-- { NULL, -1, 0, NULL, NULL } /* end the list */
--};
-+ DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
-
--/*
-- * Attach the EAP-TNC module.
-- */
--static int tnc_attach(CONF_SECTION *cs, void **instance)
--{
-- rlm_eap_tnc_t *inst;
-+ // pass EAP_TNC data to NAA-EAP and get answer data
-+ TNC_BufferReference output = NULL;
-+ TNC_UInt32 outputLength = 0;
-+ TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
-
-- inst = malloc(sizeof(*inst));
-- if (!inst) return -1;
-- memset(inst, 0, sizeof(*inst));
-+ /*
-+ * forwards the eap_tnc data to NAA-EAP and gets the response
-+ * (uses a function from the NAA-EAP-library)
-+ * the presence of the library is checked via the configure-script
-+ */
-+ TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
-+ handler->eap_ds->response->type.length, &output, &outputLength,
-+ &connectionState);
-+
-+ // check for errors
-+ if (result != TNC_RESULT_SUCCESS) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
-+ return 0;
-+ }
-
-- if (cf_section_parse(cs, inst, module_config) < 0) {
-- tnc_detach(inst);
-- return -1;
-+ // output contains now the answer from NAA-EAP
-+ uint8_t eapCode = 0;
-+ // determine eapCode for request
-+ switch (connectionState) {
-+ case TNC_CONNECTION_STATE_HANDSHAKE:
-+ eapCode = PW_EAP_REQUEST;
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_NONE:
-+ eapCode = PW_EAP_FAILURE;
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-+ eapCode = PW_EAP_SUCCESS;
-+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
-+ break;
-+ case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-+ eapCode = PW_EAP_SUCCESS;
-+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
-+ break;
-+ default:
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
-+ return 0;
- }
-
--
-- if (!inst->vlan_access || !inst->vlan_isolate) {
-- radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
-- tnc_detach(inst);
-- return -1;
-+ // form EAP_REQUEST
-+ if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
-+ radlog(L_ERR,
-+ "rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
-+ return 0;
- }
-
-- *instance = inst;
-- return 0;
-+ // FIXME: Why is that needed?
-+ handler->stage = AUTHENTICATE;
-+
-+ return 1;
- }
-
- /*
-@@ -371,10 +405,10 @@
- * That is, everything else should be 'static'.
- */
- EAP_TYPE rlm_eap_tnc = {
-- "eap_tnc",
-- tnc_attach, /* attach */
-- tnc_initiate, /* Start the initial request */
-- NULL, /* authorization */
-- tnc_authenticate, /* authentication */
-- tnc_detach /* detach */
-+ "eap_tnc",
-+ tnc_attach, /* attach */
-+ tnc_initiate, /* Start the initial request */
-+ NULL, /* authorization */
-+ tnc_authenticate, /* authentication */
-+ tnc_detach /* detach */
- };
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 1970-01-01 01:00:00.000000000 +0100
-@@ -1,146 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--#include <freeradius-devel/ident.h>
--RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $")
--
--#include "tncs_connect.h"
--#include <ltdl.h>
--#include <stdlib.h>
--#include <stdio.h>
--#include <eap.h>
--
-- /*
-- * FIXME: This linking should really be done at compile time.
-- */
--static lt_dlhandle handle = NULL;
--
--static ExchangeTNCCSMessagePointer callTNCS = NULL;
--
--/*
-- * returns the function-pointer to a function of a shared-object
-- *
-- * soHandle: handle to a shared-object
-- * name: name of the requested function
-- *
-- * return: the procAddress if found, else NULL
-- */
--static void *getProcAddress(lt_dlhandle soHandle, const char *name){
-- void *proc = lt_dlsym(soHandle, name);
-- DEBUG("Searching for function %s", name);
-- if(proc == NULL){
-- DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
-- name, lt_dlerror());
-- }
-- return proc;
--}
--
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- *
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO){
-- int state = -1;
-- if(handle==NULL){
-- handle = lt_dlopen(pathToSO);
-- DEBUG("OPENED HANDLE!");
-- }
--
-- if(handle==NULL){
-- DEBUG("HANDLE IS NULL");
-- DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
-- pathToSO, lt_dlerror());
-- }else{
-- DEBUG("SO %s found!", pathToSO);
-- if(callTNCS==NULL){
-- callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
-- }
-- if(callTNCS!=NULL){
-- DEBUG("TNCS is connected");
-- state = 0;
--// int ret = callTNCS2(2, "Bla", NULL);
-- // DEBUG("GOT %d from exchangeTNCCSMessages", ret);
-- }else{
-- DEBUG("Could not find exchangeTNCCSMessages");
-- }
--
-- }
-- return state;
--}
--
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
-- /*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut){
-- TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
-- int connectStatus = connectToTncs(pathToSO);
-- if(connectStatus!=-1){
-- state = callTNCS(connId,
-- isAcknoledgement,
-- input,
-- inputLength,
-- isFirst,
-- moreFragments,
-- overallLength,
-- output,
-- outputLength,
-- answerIsFirst,
-- moreFragmentsFollow,
-- overallLengthOut);
-- DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
-- }else{
-- DEBUG("CAN NOT CONNECT TO TNCS");
-- }
-- return state;
--}
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,70 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_CONNECT_H_
--#define _TNCS_CONNECT_H_
--
--#include "tncs.h"
--
--/*
-- * establishs the connection to the TNCCS without calling functionality.
-- * That means that the TNCS-shared-object is loaded and the function-pointer
-- * to "exchangeTNCCSMessages" is explored.
-- *
-- * return: -1 if connect failed, 0 if connect was successful
-- */
--int connectToTncs(char *pathToSO);
--/*
-- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
-- * -pathToSO: Path to TNCCS-Shared Object
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
-- /*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut);
--
--#endif //_TNCS_CONNECT_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,86 +0,0 @@
--/*
-- * This software is Copyright (C) 2006,2007 FH Hannover
-- *
-- * Portions of this code unrelated to FreeRADIUS are available
-- * separately under a commercial license. If you require an
-- * implementation of EAP-TNC that is not under the GPLv2, please
-- * contact tnc@inform.fh-hannover.de for details.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-- *
-- */
--
--#ifndef _TNCS_H_
--#define _TNCS_H_
--
--
--
--#ifdef __cplusplus
--extern "C" {
--#endif
--
--/*
-- * copied from tncimv.h:
-- */
--typedef unsigned long TNC_UInt32;
--typedef TNC_UInt32 TNC_ConnectionState;
--typedef unsigned char *TNC_BufferReference;
--typedef TNC_UInt32 TNC_ConnectionID;
--
--#define TNC_CONNECTION_STATE_CREATE 0
--#define TNC_CONNECTION_STATE_HANDSHAKE 1
--#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
--#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
--#define TNC_CONNECTION_STATE_ACCESS_NONE 4
--#define TNC_CONNECTION_STATE_DELETE 5
--#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
--
--/*
-- * Accesspoint (as function-pointer) to the TNCS for sending and receiving
-- * TNCCS-Messages.
-- *
-- * -connId: identifies the client which the passed message belongs to.
-- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
-- * -input: input-TNCCS-message received from the client with connId
-- * -inputLength: length of input-TNCCS-message
-- * -isFirst: 1 if first message in fragmentation else 0
-- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
-- * -overallLength: length of all fragments together (only set if fragmentation)
-- * -output: answer-TNCCS-message from the TNCS to the client
-- * -outputLength: length of answer-TNCCS-message
-- * -answerIsFirst: returned answer is first in row
-- * -moreFragmentsFollow: more fragments after this answer
-- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
-- *
-- * return: state of connection as result of the exchange
-- */
--typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId,
-- /*in*/ int isAcknoledgement,
-- /*in*/ TNC_BufferReference input,
-- /*in*/ TNC_UInt32 inputLength,
-- /*in*/ int isFirst,
-- /*in*/ int moreFragments,
-- /*in*/ TNC_UInt32 overallLength,
-- /*out*/ TNC_BufferReference *output,
-- /*out*/ TNC_UInt32 *outputLength,
-- /*out*/ int *answerIsFirst,
-- /*out*/ int *moreFragmentsFollow,
-- /*out*/ TNC_UInt32 *overallLengthOut
--);
--
--#ifdef __cplusplus
--}
--#endif
--#endif //_TNCS_H_
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-12-04 19:39:54.749423138 +0100
-@@ -37,6 +37,10 @@
- int copy_request_to_tunnel;
- int use_tunneled_reply;
- const char *virtual_server;
-+ const char *tnc_virtual_server; // virtual server for EAP-TNC as the second inner method
-+ VALUE_PAIR *auth_reply; // cache storage of the last reply of the first inner method
-+ int auth_code; // cache storage of the reply-code of the first inner method
-+ int doing_tnc; // status if we're doing EAP-TNC
- } ttls_tunnel_t;
-
- /*
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-12-04 19:39:54.749423138 +0100
-@@ -62,6 +62,11 @@
- * Virtual server for inner tunnel session.
- */
- char *virtual_server;
-+
-+ /*
-+ * Virtual server for the second inner tunnel method, which is EAP-TNC.
-+ */
-+ char *tnc_virtual_server;
- } rlm_eap_ttls_t;
-
-
-@@ -78,6 +83,9 @@
- { "virtual_server", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
-
-+ { "tnc_virtual_server", PW_TYPE_STRING_PTR,
-+ offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
-+
- { "include_length", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
-
-@@ -171,6 +179,10 @@
- t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
- t->use_tunneled_reply = inst->use_tunneled_reply;
- t->virtual_server = inst->virtual_server;
-+ t->tnc_virtual_server = inst->tnc_virtual_server; // virtual server for EAP-TNC as the second inner method
-+ t->auth_reply = NULL; // cache storage of the last reply of the first inner method
-+ t->auth_code = -1; // cache storage of the reply-code of the first inner method
-+ t->doing_tnc = 0; // status if we're doing EAP-TNC (on start we're doing NOT)
- return t;
- }
-
-diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-09-10 13:51:34.000000000 +0200
-+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-12-04 19:39:54.749423138 +0100
-@@ -585,6 +585,94 @@
- }
-
- /*
-+ * Start EAP-TNC as a second inner method.
-+ * Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
-+ * If it's the first time, we create a EAP-START-packet and send
-+ * EAP-START := code = PW_EAP_REQUEST
-+ *
-+ */
-+static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
-+ REQUEST* request = handler->request;
-+ RDEBUG2("EAP-TNC as second inner authentication method starts now");
-+
-+ /*
-+ * Allocate a fake REQUEST struct,
-+ * to make a new request, based on the original request.
-+ */
-+ REQUEST* fake = request_alloc_fake(request);
-+
-+ /*
-+ * Set the virtual server to that of EAP-TNC.
-+ */
-+ fake->server = t->tnc_virtual_server;
-+
-+ /*
-+ * Build a new EAP-Message.
-+ */
-+ VALUE_PAIR *eap_msg;
-+ eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
-+
-+ /*
-+ * Set the EAP-Message to look like EAP-Start
-+ */
-+ eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
-+ eap_msg->vp_octets[1] = 0x00;
-+
-+ /*
-+ * Only setting EAP-TNC here,
-+ * because it is intended to do user-authentication in the first inner method,
-+ * and then a hardware-authentication (like EAP-TNC) as the second method.
-+ */
-+ eap_msg->vp_octets[4] = PW_EAP_TNC;
-+
-+ eap_msg->length = 0;
-+
-+ /*
-+ * Add the EAP-Message to the request.
-+ */
-+ pairadd(&(fake->packet->vps), eap_msg);
-+
-+ /*
-+ * Process the new request by the virtual server configured for
-+ * EAP-TNC.
-+ */
-+ rad_authenticate(fake);
-+
-+ /*
-+ * From now on we're doing EAP-TNC as the second inner authentication method.
-+ */
-+ t->doing_tnc = TRUE;
-+
-+ return fake;
-+}
-+
-+/*
-+ * Stop EAP-TNC as a second inner method.
-+ * Copy the value pairs from the cached Access-Accept of the first inner method
-+ * to the Access-Accept/Reject package of EAP-TNC.
-+ */
-+static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
-+ RDEBUG2("EAP-TNC as second inner authentication method stops now");
-+
-+ /*
-+ * Copy the value-pairs of the origina Access-Accept of the first
-+ * inner authentication method to the Access-Accept/Reject of the
-+ * second inner authentication method (EAP-TNC).
-+ */
-+ if (request->reply->code == PW_AUTHENTICATION_ACK) {
-+ pairadd(&(request->reply->vps), t->auth_reply);
-+ } else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
-+ pairadd(&(request->reply->vps), t->auth_reply);
-+ }
-+
-+ pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
-+ pairdelete(&(request->reply->vps), PW_PROXY_STATE);
-+ pairdelete(&(request->reply->vps), PW_USER_NAME);
-+
-+ return request;
-+}
-+
-+/*
- * Use a reply packet to determine what to do.
- */
- static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
-@@ -1135,6 +1223,16 @@
-
- } /* else fake->server == request->server */
-
-+ /*
-+ * If we're doing EAP-TNC as a second method,
-+ * then set the server to that one.
-+ * Then, rad_authenticate will run EAP-TNC,
-+ * so that afterwards we have to look for the state of
-+ * EAP-TNC.
-+ */
-+ if (t->doing_tnc) {
-+ fake->server = t->tnc_virtual_server;
-+ }
-
- if ((debug_flag > 0) && fr_log_fp) {
- RDEBUG("Sending tunneled request");
-@@ -1248,6 +1346,53 @@
-
- default:
- /*
-+ * If the result of the first method was an acknowledgment OR
-+ * if were already running EAP-TNC,
-+ * we're doing additional things before processing the reply.
-+ * Also the configuration for EAP-TTLS has to contain a virtual server
-+ * for EAP-TNC as the second method.
-+ */
-+ if (t->tnc_virtual_server) {
-+ /*
-+ * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
-+ * which means that the method was successful,
-+ * and we're not doing EAP-TNC as the second method,
-+ * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
-+ */
-+ if (fake->reply->code == PW_AUTHENTICATION_ACK
-+ && t->doing_tnc == FALSE) {
-+ RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
-+
-+ /*
-+ * Save reply-value pairs and reply-code of the first method.
-+ */
-+ t->auth_reply = fake->reply->vps;
-+ fake->reply->vps = NULL;
-+ t->auth_code = fake->reply->code;
-+
-+ /*
-+ * Create the start package for EAP-TNC.
-+ */
-+ fake = start_tnc(handler, t);
-+
-+ /*
-+ * If we're doing EAP-TNC as the second inner method,
-+ * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
-+ * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
-+ */
-+ } else if (t->doing_tnc == TRUE
-+ && (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
-+
-+ /*
-+ * Create the combined Access-Accept or -Reject.
-+ */
-+ RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
-+ fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
-+ fake = stop_tnc(fake, t);
-+ }
-+ }
-+
-+ /*
- * Returns RLM_MODULE_FOO, and we want to return
- * PW_FOO
- */
diff --git a/testing/scripts/recipes/patches/hostapd-config b/testing/scripts/recipes/patches/hostapd-config
deleted file mode 100644
index b26d2783f..000000000
--- a/testing/scripts/recipes/patches/hostapd-config
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -u -ur hostapd-2.0.orig/hostapd/defconfig hostapd-2.0/hostapd/defconfig
---- hostapd-2.0.orig/hostapd/defconfig 2013-01-12 16:42:53.000000000 +0100
-+++ hostapd-2.0/hostapd/defconfig 2016-06-15 17:32:57.000000000 +0200
-@@ -13,14 +13,14 @@
- CONFIG_DRIVER_HOSTAP=y
-
- # Driver interface for wired authenticator
--#CONFIG_DRIVER_WIRED=y
-+CONFIG_DRIVER_WIRED=y
-
- # Driver interface for madwifi driver
- #CONFIG_DRIVER_MADWIFI=y
- #CFLAGS += -I../../madwifi # change to the madwifi source directory
-
- # Driver interface for drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
-
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -30,7 +30,7 @@
- #LIBS_c += -L/usr/local/lib
-
- # Driver interface for no driver (e.g., RADIUS server only)
--#CONFIG_DRIVER_NONE=y
-+CONFIG_DRIVER_NONE=y
-
- # IEEE 802.11F/IAPP
- CONFIG_IAPP=y
-@@ -152,7 +152,7 @@
-
- # Add support for writing debug log to a file: -f /tmp/hostapd.log
- # Disabled by default.
--#CONFIG_DEBUG_FILE=y
-+CONFIG_DEBUG_FILE=y
-
- # Remove support for RADIUS accounting
- #CONFIG_NO_ACCOUNTING=y \ No newline at end of file
diff --git a/testing/scripts/recipes/patches/tnc-fhh-tncsim b/testing/scripts/recipes/patches/tnc-fhh-tncsim
deleted file mode 100644
index 42c714480..000000000
--- a/testing/scripts/recipes/patches/tnc-fhh-tncsim
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fe65134512ea..3c5255f21ea6 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -101,7 +101,6 @@ IF(${COMPONENT} STREQUAL "ALL")
- add_subdirectory(tncxacml)
- add_subdirectory(imcv)
- add_subdirectory(tncs)
-- add_subdirectory(tncsim)
-
- IF(${NAL} STREQUAL "8021X" OR ${NAL} STREQUAL "ALL")
- add_subdirectory(naaeap)
diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
deleted file mode 100644
index 2e00e5b44..000000000
--- a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
+++ /dev/null
@@ -1,47 +0,0 @@
-diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c
---- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/src/eap_peer/tncc.c 2013-03-23 13:10:22.151059154 +0100
-@@ -465,7 +465,7 @@
- return -1;
- }
- #else /* CONFIG_NATIVE_WINDOWS */
-- imc->dlhandle = dlopen(imc->path, RTLD_LAZY);
-+ imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL);
- if (imc->dlhandle == NULL) {
- wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s",
- imc->name, imc->path, dlerror());
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig
---- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/defconfig 2013-03-23 13:06:08.759052370 +0100
-@@ -86,7 +86,7 @@
- CONFIG_DRIVER_WEXT=y
-
- # Driver interface for Linux drivers using the nl80211 kernel interface
--CONFIG_DRIVER_NL80211=y
-+#CONFIG_DRIVER_NL80211=y
-
- # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
- #CONFIG_DRIVER_BSD=y
-@@ -193,7 +193,7 @@
- #CONFIG_EAP_GPSK_SHA256=y
-
- # EAP-TNC and related Trusted Network Connect support (experimental)
--#CONFIG_EAP_TNC=y
-+CONFIG_EAP_TNC=y
-
- # Wi-Fi Protected Setup (WPS)
- #CONFIG_WPS=y
-diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile
---- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile 2013-01-12 16:42:53.000000000 +0100
-+++ wpa_supplicant-2.0/wpa_supplicant/Makefile 2013-03-23 13:06:08.759052370 +0100
-@@ -6,8 +6,8 @@
- CFLAGS = -MMD -O2 -Wall -g
- endif
-
--export LIBDIR ?= /usr/local/lib/
--export BINDIR ?= /usr/local/sbin/
-+export LIBDIR ?= /usr/lib/
-+export BINDIR ?= /usr/sbin/
- PKG_CONFIG ?= pkg-config
-
- CFLAGS += -I../src
diff --git a/testing/testing.conf b/testing/testing.conf
index 92b9693c1..7d8480c1f 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,18 +24,14 @@ fi
: ${TESTDIR=/srv/strongswan-testing}
# Kernel configuration
-<<<<<<< Updated upstream
-: ${KERNELVERSION=4.18.9}
-=======
-: ${KERNELVERSION=4.15.9}
->>>>>>> Stashed changes
+: ${KERNELVERSION=4.20}
: ${KERNEL=linux-$KERNELVERSION}
: ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15}
-: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-4.19}
+: ${KERNELPATCH=ha-4.16-abicompat.patch.bz2}
# strongSwan version used in tests
-: ${SWANVERSION=5.7.0}
+: ${SWANVERSION=5.7.2}
# Build directory where the guest kernel and images will be built
: ${BUILDDIR=$TESTDIR/build}
@@ -52,8 +48,8 @@ fi
# Base image settings
# The base image is a pristine OS installation created using debootstrap.
-: ${BASEIMGSIZE=1600}
-: ${BASEIMGSUITE=jessie}
+: ${BASEIMGSIZE=1800}
+: ${BASEIMGSUITE=stretch}
: ${BASEIMGARCH=amd64}
: ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
: ${BASEIMGMIRROR=http://http.debian.net/debian}
diff --git a/testing/tests/botan/net2net-ed25519/description.txt b/testing/tests/botan/net2net-ed25519/description.txt
new file mode 100755
index 000000000..8c67989f4
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
+<b>moon</b> uses the botan plugin based on the Botan library for all
+cryptographical functions whereas <b>sun</b> uses the default strongSwan
+cryptographical plugins.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-ed25519/evaltest.dat b/testing/tests/botan/net2net-ed25519/evaltest.dat
new file mode 100755
index 000000000..ebbb8ae75
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..508c30a00
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random pem x509 revocation constraints pubkey botan
+}
+
+charon-systemd {
+ load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
new file mode 100644
index 000000000..491d36430
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..e67b224b6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..a35aea01c
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
new file mode 100644
index 000000000..b83f62c13
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..70af02017
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..9c5a06945
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-ed25519/posttest.dat b/testing/tests/botan/net2net-ed25519/posttest.dat
new file mode 100755
index 000000000..30f6ede76
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/posttest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs8/*
+sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/botan/net2net-ed25519/pretest.dat b/testing/tests/botan/net2net-ed25519/pretest.dat
new file mode 100755
index 000000000..410253e54
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/swanctl/rsa/moonKey.pem
+sun::rm /etc/swanctl/rsa/sunKey.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-ed25519/test.conf b/testing/tests/botan/net2net-ed25519/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-ed25519/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..1d40e30f0
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..bfc7e76f1
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
index 365da741f..365da741f 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
Binary files differ
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-moon {
+ file = moonCert.p12
+ secret = "kUqd8O7mzbjXNJKQ"
+ }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
index e2cd2f21d..e2cd2f21d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
Binary files differ
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-sun {
+ file = sunCert.p12
+ secret = "IxjQVCF3JGI+MoPi"
+ }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..9802f442d
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..22ffcf949
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/pretest.dat
@@ -0,0 +1,9 @@
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf
index afa2accbe..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/botan/net2net-pkcs12/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/description.txt b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
new file mode 100755
index 000000000..2db82a941
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> with signatures consisting of
+<b>RSA-encrypted SHA-3 hashes</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+ load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
new file mode 100644
index 000000000..f24b3ebf3
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq
+pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV
+T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N
+Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt
+UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/
+XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY
+v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA
+G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp
+qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V
+/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK
+8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/
+8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc
+6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G
+NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE
+DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU
+z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD
+01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU
+bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId
+23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/
+Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p
+F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA
+29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/
+XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F
+/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX
+SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu
+8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq
+TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE
+miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ
+p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du
+ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli
+CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6
+dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH
+gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY
+3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc
+gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN
+vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV
+E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bcc2742f7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 000000000..bea7e81f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky
+MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v
+cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6
+ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF
+kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9
+ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE
+6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS
+4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW
+GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA
+bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP
+tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf
+BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u
+LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw
+N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz
+LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT
+UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo
+tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs
+jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl
+noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2
+pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc
+gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA
+5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79
+ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..51a7747d7
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem x509 revocation constraints pubkey botan random
+}
+
+charon-systemd {
+ load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
new file mode 100644
index 000000000..a694bbb8f
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K
+ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p
+DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu
+MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO
++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r
+ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H
+WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6
+Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/
+bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex
+ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/
+d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ
+e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI
+zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW
+63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc
+Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n
+vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz
+aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+
+slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20
+pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0
+ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie
+1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL
+c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH
+xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T
+X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K
+qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB
+VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88
+oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF
+dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov
+2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI
+pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN
+VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo
+qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx
+JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8
+ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw
+kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk
+nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq
+hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..12cee0fc6
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 000000000..f1c086ee9
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky
+MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y
+ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR
+2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/
+W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu
+pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA
+xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC
+ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G
+/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt
+WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5
+/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G
+A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z
+dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg
+NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y
+c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7
+nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0
+cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK
+F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8
+1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB
+hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS
+ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+
+jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw
+MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk=
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 000000000..29ad5b942
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb
+MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG
+A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky
+MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv
+amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD
+QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF
+XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K
+VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC
+R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU
+YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t
+b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx
+Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw
+g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U
+7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n
+LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v
+4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0
+aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt
+YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k
+FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM
+riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2
+Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u
+kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3
+sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
new file mode 100755
index 000000000..9440ddab0
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/test.conf b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..b2072d1f4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+} \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..07178dc5e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,56 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ suffix
+ files
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..27a42d00f
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,53 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ suffix
+ files
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
+
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
index b4c7637ac..377aedf1b 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt
index 6be21bf8f..876aa7980 100644
--- a/testing/tests/ikev2/host2host-cert/description.txt
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -1,4 +1,6 @@
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
index 7e343efa5..dcf573b59 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..2968646e5 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,13 +2,23 @@ authorize {
preprocess
chap
mschap
- sim_files
suffix
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
unix
- files
expiration
logintime
pap
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index 6a4da6631..4069be9ce 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index 9ffd27f1e..f3fdfe6ff 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt
index c74897d9a..9bef3cd18 100644
--- a/testing/tests/ikev2/nat-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
@@ -1,6 +1,7 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt
index dcf4b94bd..58b28bad2 100644
--- a/testing/tests/ikev2/nat-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
@@ -1,5 +1,7 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt
index 02cddbb83..07320d731 100644
--- a/testing/tests/ikev2/net2net-psk/description.txt
+++ b/testing/tests/ikev2/net2net-psk/description.txt
@@ -1,6 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
index 6d886024b..893a27230 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
@@ -1,9 +1,11 @@
-at the outset the gateway authenticates itself to the client by sending an
-IKEv2 <b>RSA signature</b> accompanied by a certificate.
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
index 1277081b9..da5b72735 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
@@ -1,7 +1,8 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
+is used instead of a USIM/(R)UIM device. \ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol Cleartext-Password := "Ar3etTnp"
+ Framed-IP-Address = 10.3.0.1
+dave Cleartext-Password := "W7R0g3do"
+ Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,4 @@
+carol Cleartext-Password := "Ar3etTnp"
+ Class = "Research"
+dave Cleartext-Password := "W7R0g3do"
+ Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
index 303139615..e63c57e72 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..1dc69d90d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
index d376ee5a8..08fd89b65 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
@@ -1,7 +1,7 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with an <i>MD5</i> challenge and response protocol
-(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
-is kept in <b>ipsec.secrets</b> on both gateway and client
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
-against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
index 4feadff4c..95afc08b5 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
@@ -1,8 +1,10 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Microsoft CHAP version 2</i> protocol
-(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
-e.g. by the Windows 7 Agile VPN client.
-In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = peap
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ peap {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
index 0531a559f..41abb363c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -1,13 +1,13 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b> and
-the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
which also uses static triplets. In addition to her IKEv2 identity
<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
identity <b>228060123456001</b>.
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 893529324..1dc666992 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,5 +1,16 @@
authorize {
- sim_files
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..1c281a974 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 122ee2283..53aa83f0c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
index d50175664..26de3c982 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The gateway <b>moon</b> does not send an AUTH payload thus signalling
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
a mutual <b>EAP-only</b> authentication.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
index fbdf75f4c..8d68b81fc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -1,6 +1,17 @@
authorize {
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 9614686c2..04b824def 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -7,10 +7,9 @@ dave::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
index 6c3c71987..5cb1bacdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
@@ -1,14 +1,15 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the client by sending
-an IKEv2 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
-in association with a <i>GSM Subscriber Identity Module</i>
-(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
-In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
-are used instead of a physical SIM card on the client <b>carol</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
-which also uses a static triplets file.
-<p>
+which also uses static triplets.
+<p/>
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
-the radius server <b>alice</b> returns an <b>Access-Reject</b> message
-and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
preprocess
chap
mschap
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..a74267d30 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index 52d5962f4..e171997bc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,13 +1,9 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
index 686241809..4401e679f 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
@@ -1,7 +1,8 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
-to authenticate against the gateway. In this scenario triplets from the file
-<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
-Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
-itself against <b>carol</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+ default_eap_type = tls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ tls {
+ tls = tls-common
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index ef5666914..6907b7657 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -9,7 +9,3 @@ charon {
}
}
}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 181949fb5..4361417fd 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
moon::ipsec stop
carol::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index b27673c6d..012323f8f 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 576d2cb99..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ba52ec31e..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index d5631a9f5..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index fa1febe0f..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 738481257..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightsendcert=never
- right=%any
- auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 0ff7725ca..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
- multiple_authentication=no
-
- syslog {
- daemon {
- tls = 2
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- }
- }
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
deleted file mode 100644
index dccf85419..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ ttls {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index 670d2e72f..a6619d02b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index fa2d7eeb9..c98e8ed53 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
dave::ipsec start
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..dafe7f052
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,64 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+listen {
+ type = acct
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index 98f7a6954..66416eb28 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,6 +1,6 @@
carol::ipsec stop
moon::ipsec stop
-alice::killall radiusd
+alice::killall freeradius
alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 7ec7c1226..d3c345200 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
-alice::radiusd
+alice::freeradius
moon::ipsec start
carol::ipsec start
moon::expect-connection rw-eap
diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
index 186ce4e06..c792f3a7e 100644
--- a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
index 4cf23a31b..d2db56eb8 100644
--- a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 803cf5ef5..5fef8bbb1 100644
--- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
index 0e125b70e..c3bbe341f 100644
--- a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
index f6dc9aa3e..5178076a3 100644
--- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
index 16982a736..52e4bf623 100644
--- a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
index 5ae9d2c12..7a6fc302e 100644
--- a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat
@@ -4,6 +4,6 @@ moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
index 0dfba54ea..6e6de5e96 100644
--- a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat
@@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
index ef6ec2b98..b7b92d020 100644
--- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index 23add7ae5..f3068ce8b 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
index 877459c88..bbf6c2ea3 100644
--- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
index a3e2bad94..97e0de01c 100644
--- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 591e2da59..f85d6127f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 2ee553a61..b776ea938 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
index 72dade743..21569bdaa 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat
index 1202a99d2..a199765a0 100644
--- a/testing/tests/ipv6/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat
index d5d5a6b1c..aa450e296 100644
--- a/testing/tests/ipv6/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
index 026235171..394521b25 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
index dd120f524..f4c8851c0 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
index e92aa028d..5009bf41f 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
index ce79801ec..b748003e8 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
index 082416d60..9016ba473 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block c
moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat
index 736425d36..659ca42ab 100644
--- a/testing/tests/ipv6/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat
@@ -1,6 +1,6 @@
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat
index 48ddcd069..a754598f9 100644
--- a/testing/tests/ipv6/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat
@@ -1,6 +1,6 @@
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
-moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
index e9a30b9ac..cdb8ead3c 100644
--- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
+++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat
@@ -1,4 +1,4 @@
-alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES
+alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES
moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES
sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES
sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 937860593..68edc54b7 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 4628311d4..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bdde28391
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 1
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index da1fbf06b..000000000
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..116e06c26
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 1
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
fall back to ECP_384 and ECP_521, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 553c79451..2cc3382df 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -1,15 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2ed83f06a..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3ed559068
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 105ec3ce4..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b5a2be9e8
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0a312b394..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7c5b3080d
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+ }
+ }
+ version = 1
+ proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 327d63bf8..183f5e97f 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -1,17 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 6fe17a9ee..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..013e6b1bc
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ade897727..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4f5c016c2
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 3992b52fb..000000000
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..417ad0508
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 9a8516dad..2127b2bf4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -1,11 +1,3 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES
@@ -14,6 +6,10 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECD
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 1527867c7..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..abf46a755
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ ecdsa-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ed9410c04..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..3981ac2ea
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 1
+ proposals = aes256-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 359029d02..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1ddf9621e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 1
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
deleted file mode 100644
index cfa7a11b9..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
-<p/>
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
-respectively.
-<p/>
-Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
-(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
-respectively.
-<p/>
-A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
deleted file mode 100644
index 44bd75895..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,26 +0,0 @@
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
-moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
-carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
-dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
-moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c0016ff61..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha512-modp2048!
- esp=aes256gcm128-modp2048!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 335eda02c..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-modp1536!
- esp=aes128gcm128-modp1536!
-
-conn home
- left=PH_IP_DAVE
- leftfirewall=yes
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 99069ae82..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 566298bed..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
- esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a7e09c6a..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
deleted file mode 100644
index d30d9d2da..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
-use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
-cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
-encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
deleted file mode 100644
index a4f1f2998..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
-dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index adee238e6..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048!
- esp=blowfish192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index e22322431..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish128-sha256-modp1536!
- esp=blowfish128-sha256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 43bbb36a9..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
- esp=blowfish192-sha384,blowfish128-sha256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4a5e52dbd..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
deleted file mode 100644
index e87a8ee47..000000000
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt
index b3515c333..4b8eeb87e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt
@@ -1,4 +1,3 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite
+<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 937860593..8a2e36baa 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f0bbfc10f..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebdb473fb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 2
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8481f8974..000000000
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=camellia256-sha512-modp3072!
- esp=camellia192-sha384!
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 976544b24..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..90c566bb6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = camellia192-sha384
+ }
+ }
+ version = 2
+ proposals = camellia256-sha512-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 046d4cfdc..2b00bea8e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index e34f70277..ae2c30429 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection net
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
index d0ae5a823..e37d5489c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas
<b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support
ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
index ebc7752f2..746d90280 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES
dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index bfca8965f..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..893130d66
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 2b16165dc..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e522d15d7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 8c02c9fea..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..93fc75e14
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
index 78eb0ffb3..35323dab6 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt
@@ -1,17 +1,16 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas
-<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support
+<b>dave</b> proposes ECP_384_BP and ECP_256_BP. Since <b>moon</b> does not support
ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
index ff9fb202c..1c64d0f16 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES
dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index be85b6c1e..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..deba223ce
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 1adedc048..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ab8fcf6a3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b4cd86c60..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c12a7d4c6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp
+ }
+ }
+ version = 2
+ proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
fall back to ECP_384 and ECP_521, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 4cee48d89..07ad135d8 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,17 +1,11 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2fd776e25..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..46942c7e2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8d8989ed7..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..828c4d6c7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index addcc6175..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..18a98ad6e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
index 84b6eb4bf..c365455d0 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -1,17 +1,17 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index 818082ca8..88fe3a1e3 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,19 +1,12 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index b754c29ba..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e21bcd3b5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b5e9215c5..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index fde691e96..6c9cf718d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f38c4353b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2e4a15ec3..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5caa77eb9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,11 +1,11 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt
index 8c0d37c88..4f472b83b 100644
--- a/testing/tests/openssl-ikev2/critical-extension/description.txt
+++ b/testing/tests/openssl-ikev2/critical-extension/description.txt
@@ -1,5 +1,5 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
<b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index cc904c8bc..e91ba2b82 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,4 @@
moon::cat /var/log/daemon.log::sending end entity cert::YES
moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index a72c82525..f2104c5f8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
multiple_authentication = no
+}
+libstrongswan {
x509 {
enforce_critical = no
}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
index 4d99866f7..4d99866f7 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b0aa32a5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
index 7f78d5820..7f78d5820 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
Binary files differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index d67640548..77d858547 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
index d8fad9aad..d8fad9aad 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bb068bdbe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
index c1efb6719..c1efb6719 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
Binary files differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index 837738fc6..83cd75a5d 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::rm /etc/swanctl/x509/moonCert.der
+sun::rm /etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 08ca6b54c..cc8d9d74f 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,7 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::rm /etc/swanctl/x509/moonCert.pem
+sun::rm /etc/swanctl/x509/sunCert.pem
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index b286ef6eb..d3016a886 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS=""
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
index 4f855eb1a..3bbcdfa32 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -1,11 +1,12 @@
The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+</p>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 18fdacfff..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,17 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
index c277ba4f6..c277ba4f6 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..06c23a791
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ ecdsa-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index d94b17950..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
- signature_authentication = no
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
index 40a76935e..40a76935e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7eb029b0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes256-sha384-ecp384
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 2
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 1865a1c60..3d10c0f1f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/ecdsa/carolKey.pem
+dave::rm /etc/swanctl/ecdsa/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 46eaccd7a..a018f735d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index c562e359c..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
index d043dfd6d..d043dfd6d 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..048f3bbf9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ pkcs8-carol {
+ file = carolKey.pem
+ secret = "nH5ZQEWtku0RJEZ6"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
index 646f6e8e3..646f6e8e3 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 62a62a463..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 56f6e6365..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
index c32137ef9..c32137ef9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..8557928c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-ecp384
+ }
+ }
+ version = 2
+ proposals = aes256-sha384-ecp384
+ }
+}
+
+
+secrets {
+
+ pkcs8-dave {
+ file = daveKey.pem
+ secret = "OJlNZBx+80dLh4wC6fw5LmBd"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
index 35b3df49a..35b3df49a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index c5e5e61b0..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128gcm16!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
index a2b5acb79..a322670f4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
index 24f07b5d7..24f07b5d7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0d99a8189
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256
+ }
+ }
+ version = 2
+ proposals = aes256-aes128-sha384-sha256-ecp384-ecp256
+ }
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
index a4962286e..a4962286e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
index a1a86a222..a1a86a222 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 1865a1c60..ff2860e45 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,11 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+carol::rm /etc/swanctl/pkcs8/carolKey.pem
+dave::rm /etc/swanctl/pkcs8/daveKey.pem
+moon::rm /etc/swanctl/ecdsa/moonKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index e87a8ee47..c86fdede5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,11 +1,14 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
+moon::rm /etc/swanctl/rsa/moonKey.pem
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
deleted file mode 100644
index 468c5f7ee..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index fcb9d839f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.asc
- leftid=@#71270432cd763a18020ac988c0e75aed
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightcert=sunCert.asc
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID Date User ID
-sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 91d6ef5d8..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftcert=sunCert.asc
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=moonCert.asc
- rightid=@#71270432cd763a18020ac988c0e75aed
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID Date User ID
-sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index aea93d234..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
-}
-
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
deleted file mode 100644
index 9a9513dc3..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
deleted file mode 100644
index 969c42337..000000000
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
index e66ea1918..1d40e30f0 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -2,7 +2,7 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
<b>PKCS12</b> format.
<p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
index fe4aa5ab1..bfc7e76f1 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -1,7 +1,5 @@
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 195710a7f..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 802cfc681..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+ load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
new file mode 100644
index 000000000..365da741f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
Binary files differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-moon {
+ file = moonCert.p12
+ secret = "kUqd8O7mzbjXNJKQ"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 292fbeeb6..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128gcm16!
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index 3dc85528c..000000000
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
-
-
-
-
-
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
index 2448837f3..a8ed13448 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown
+ load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
new file mode 100644
index 000000000..e2cd2f21d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
Binary files differ
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ pkcs12-sun {
+ file = sunCert.p12
+ secret = "IxjQVCF3JGI+MoPi"
+ }
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
index 0fbba487c..9802f442d 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/private/moonCert.p12
-sun::rm /etc/ipsec.d/private/sunCert.p12
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
index 47e6d8604..22ffcf949 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -1,11 +1,9 @@
-moon::rm /etc/ipsec.d/private/moonKey.pem
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-sun::rm /etc/ipsec.d/private/sunKey.pem
-sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
index 646b8b3e6..87abc763b 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
index b16faad06..ca738a1d4 100644
--- a/testing/tests/openssl-ikev2/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -1,11 +1,12 @@
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+plugins <b>aes des sha1 sha2 hmac gmp</b> and <b>x509</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index be78c5125..572a138a6 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 213cd70fa..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha1-modp1536!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+ load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e8504addb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-modp2048
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-modp2048
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 653316fde..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256-sha256-modp2048!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 058abcad7..f2b8046e0 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..27c6f12ba
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 16299b339..000000000
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 8197ea8b1..996be95f5 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
+ load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..aa8d6167a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072,3des-sha1-modp2048
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 1865a1c60..b909ac76c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 974c22530..61fc17ba2 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,12 +1,11 @@
-moon::iptables-restore < /etc/iptables.rules
+mmoon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-# moon runs crypto tests, so make sure it is ready
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
deleted file mode 100644
index 5b525ef06..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f3d7a807c..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128-sha256!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c277ba4f6..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C
-
-CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH
-7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB
-71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index f5b116b3b..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 2236a5f71..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ecp256!
- esp=aes128-sha256!
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftauth=eap-tls
- leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a4962286e..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI
-zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr
-dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx
-JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu
-M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl
-8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB
-7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G
-A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr
-aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq
-hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT
-tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8
-ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN
-Vjo6NkA=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 24f07b5d7..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B
-qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb
-Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ
-7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd
-lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4aa2068f4..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
- syslog {
- daemon {
- tls = 2
- }
- }
-}
-
-libtls {
- suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
deleted file mode 100644
index 046d4cfdc..000000000
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
deleted file mode 100644
index 26e42c4b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>128 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
deleted file mode 100644
index b00c4cd40..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 61e13df41..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 646f6e8e3..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C
-Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+
-aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u
-Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0
-cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n
-c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA
-7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm
-q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE
-gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index c8c12c3b7..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgyh91hjqzCuAICCAAw
-HQYJYIZIAWUDBAECBBBZwepsRENncvW5UJ/blAqmBIGQZdbHnD3PWEbUXZJPkbIK
-VvJZkd2+k12IxdShMWwCeW93R+3nj+7T0NPAQqMbuqz51zgO+SuXDupUIKdLHKMy
-vdasLrbA3fe7YFVlxQjB6fB69V059ifi61OCIO/KfC7Je4ff3TZVwJcUYpduPIkQ
-BZAw46T0JtrXltFgxxGYnnTlzuYW6EDB3l6Fwb2zCyZm
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 22fcb3eb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn peer
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 0f6315794..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7TCCAlCgAwIBAgIBEjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzUyNFoXDTIzMDYxMTEyMzUyNFowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATRc+i666sxHVohZ/4ld8ffz2xoa+x9+7TzM689nczQ
-oZMs3+AJIjjNzdjvEe6kPHW73p51IdtlVF97Ib62hgQuo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDA3QkktCD5ZvWeiepNeQPWpcKP8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYETZGF2ZUBzdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GKADCBhgJBOrfM
-xT0Cn1uXVvuS977ANQZwzAX4O9y5POFXBkDKLFPL9hgWg7jxhREkDRcvViovMmiM
-EAjoEZLD8SysfYrRZxcCQXtgWTfS2GAIDSQS1of1so/8Z/xZdfoIWxRoZ/xmH7jY
-Yt3wK6yGjziEbX9LGN4MkOwkJKjEkTwbTygv7Wt3arz/
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index a4041c5fa..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEICEAikut4YuFnv6vLE/7Lk+LmQ+ic35apftbhu2+TICQoAoGCCqGSM49
-AwEHoUQDQgAE0XPouuurMR1aIWf+JXfH389saGvsffu08zOvPZ3M0KGTLN/gCSI4
-zc3Y7xHupDx1u96edSHbZVRfeyG+toYELg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f7044e51d..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekey=no
- reauth=no
- keyexchange=ikev2
- ike=aes128gcm128-prfsha256-ecp256!
- esp=aes128gcm128-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index 961c8bec8..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7jCCAlCgAwIBAgIBEzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzEzMVoXDTIzMDYxMTE0MzEzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATCqc/Wov++N8wvG3IhsEAxa38bxoIBPQZeOqMyi/lV
-breEsOSJD/POV3gkt1lKOaQ502XdJcjdAvCqjtbpzCMWo4IBEzCCAQ8wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFAtkayAwMYDQqnlKDRvm7HNCIxY8
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYITbW9vbi5zdHJv
-bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
-YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GLADCBhwJBVnfl
-l9eV6R+jNdUCuz+yDdM7c1UpQ+Qy7rtXq50KZY7d1xJsTk152LxXIkO8EJnHmO4l
-s39RHlGXItWcYGffXIICQgCLB+R8QFnMcKlgpjrxsuO/Ljg1RcMav3y3zaHJJJLT
-eJBEL7RhDaPGcJ/hKU4TPwvSEIkswQaDnN+oAZiz/gFDUw==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index c0a8c852b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIG7fewqQ4RTIWsck4m9ftByXOl4X0va0RtYqdbiF9CAHoAoGCCqGSM49
-AwEHoUQDQgAEwqnP1qL/vjfMLxtyIbBAMWt/G8aCAT0GXjqjMov5VW63hLDkiQ/z
-zld4JLdZSjmkOdNl3SXI3QLwqo7W6cwjFg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
deleted file mode 100644
index b8cb4fb8b..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
-but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
-she ignores the repeated IKE requests sent by <b>dave</b>.
-<p/>
-After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
-connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>192 bit</b>
-security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
-authenticated encryption.
-<p/>
-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
-an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
-<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
deleted file mode 100644
index 3de5c94e0..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
-carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 14146ef01..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index f3f4c6671..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDjCCAm+gAwIBAgIBETAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMzQzMloXDTIzMDYxMTEyMzQzMlowXzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
-zj0CAQYFK4EEACIDYgAExm8lmoXGUfLL8xzhhQFmadz7SjPdubASbH9m+t7h30OV
-yo+NPmtve7uqrWzttyWfqR7tFSOLtP5joj8U9E580ilT/2MsjVQJpKOFpYaggPUK
-f+fhRwfQMUunyyAoIRSbo4IBFDCCARAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gw
-HQYDVR0OBBYEFCQeIdu6skXTNWUg5w1Eb9HR1dU2MHgGA1UdIwRxMG+AFLpd+XG2
-E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
-dXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA
-9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwPAYDVR0f
-BDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2Fu
-X2VjLmNybDAKBggqhkjOPQQDAgOBjAAwgYgCQgGptTrYfjcWM+P66K5W+sq1d4X6
-E0+I2lXRKRiku2vPjpTQZJim4k4pAJNC19R2CCJMBgqab1ROUUsHMMHBNcyR/gJC
-AN6S1J68o3UTQwAyN/zXW4ur8cxsPKV9uZYoz7O6Snz+eTliz/g8NPtfLYUseCii
-VoXhdWwKkiRd8Cjck+RJHVWh
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 713942d7f..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1OV1cAp5SZcCAggA
-MB0GCWCGSAFlAwQBFgQQ1SGtVnno2vKhkF+iPT6vygSBwFZQrciZs2FN8cDI0x9c
-3OFxbaRawXnagMlpYq/To268rDFtcKGBN7JxwBaFGJw4NFrU/sOu2NkhLuA/Jbaz
-w75aQ/MjTeOtwy2PS62J/+T1zqCdfpfCJYeYCc2CPd3E21FbsW0Mmfw1b8vZ2YeS
-lsd9jvY/bob4tH68J1ZqErOLaCU0EXPgqlZiLhcDIwfZJDqrZ5xFHk3mcjB6Pc4O
-TWwJN+elQoxd29HSASw9plO2p1DRDpSZPTU67UDXDOWfJA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index b81e9b277..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn peer
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 35b3df49a..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5
-7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ
-rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq
-duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2
-d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP
-GnRyvRuhwRkbBIGt6l1mbA==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index 40a76935e..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n
-2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco
-AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B
-Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d117a3001..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- initiator_only = yes
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index f37dae945..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekey=no
- reauth=no
- keyexchange=ikev2
- ike=aes256gcm128-prfsha384-ecp384!
- esp=aes256gcm128-ecp384!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index a1a86a222..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE
-AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG
-AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE
-J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb
-TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd
-uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E
-J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd
-YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA
-ihgk0RArH39otlUFPSbSE9bicCDy
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index a71ffdca1..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCzCCAm2gAwIBAgIBFDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
-b290IENBMB4XDTE4MDYxMzE0MzE1MVoXDTIzMDYxMTE0MzE1MVowXjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
-IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
-PQIBBgUrgQQAIgNiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q4+MyOBab2jzM
-AVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSBwyYzL9+Nhnam
-F6qMSaPBnIE2CK2hgqGjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd
-BgNVHQ4EFgQUT4FEmRbCvjxKsXqruiQgzC50pj0weAYDVR0jBHEwb4AUul35cbYT
-tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
-eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2
-onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
-MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
-Yy5jcmwwCgYIKoZIzj0EAwIDgYsAMIGHAkIAhHCvrcHfCJbPcNDdyT4x3F3V2wq7
-96TzcVzlLJ+zSxr3Xo3eqOZaxAlnnoI4aQIukZ0RXzSCebDrOL9+k+5uRakCQU9k
-W5MphqYKOys+lQmpKBEnzZlM1QvFfUUiXwoxN8Ilc9c0nSVXKl9m/uPgP7GZjvaE
-J4juvRKmi2nMoxWIJtMt
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index ba7520f6c..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDuG7KDU5nek/TFvZQIxg89wevYYa1/EDyQHLFanmbK1DTx07Wv9D/b
-BL5sHWEPNMGgBwYFK4EEACKhZANiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q
-4+MyOBab2jzMAVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSB
-wyYzL9+NhnamF6qMSaPBnIE2CK2hgqE=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
deleted file mode 100644
index b3ab63c51..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
+++ /dev/null
@@ -1,21 +0,0 @@
-*filter
-
--F
-
--P INPUT ACCEPT
--P OUTPUT ACCEPT
--P FORWARD ACCEPT
-
-COMMIT
-
-*nat
-
--F
-
-COMMIT
-
-*mangle
-
--F
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
deleted file mode 100644
index cc12d1659..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-# allow traffic tunnelled via IPsec
--A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index feb5d79a6..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
-
- integrity_test = yes
-
- crypto_test {
- required = yes
- on_add = yes
- }
-
- plugins {
- openssl {
- fips_mode = 2
- }
- }
-}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
deleted file mode 100644
index 1865a1c60..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
deleted file mode 100644
index 290f57e69..000000000
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-dave::expect-connection peer
-dave::ipsec up peer
-carol::expect-connection home
-carol::ipsec up home
diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
index 6e427b265..a067f6ded 100644
--- a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
+++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat
@@ -2,8 +2,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index 63c8b6414..c483dec2b 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat
index de62af271..1cc8d8240 100755
--- a/testing/tests/swanctl/config-payload/evaltest.dat
+++ b/testing/tests/swanctl/config-payload/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
deleted file mode 100644
index 0340d5669..000000000
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-subnet 10.1.0.0 netmask 255.255.0.0 {
- option routers 10.1.0.1;
- option broadcast-address 10.1.255.255;
- option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
- option netbios-name-servers PH_IP_VENUS;
-
- # dynamic address pool for visitors
- range 10.1.0.30 10.1.0.50;
-}
diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat
index f7af441a4..61c94618b 100755
--- a/testing/tests/swanctl/frags-ipv6/evaltest.dat
+++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat
@@ -11,8 +11,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
-alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES
-alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org.*: icmp_seq=1::YES
+alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org.*: icmp_seq=1::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/swanctl/host2host-cert/description.txt
new file mode 100755
index 000000000..8f7e6e9f4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat
new file mode 100755
index 000000000..29cd8bfbd
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..42176e76d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..eeaaeab1d
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/swanctl/host2host-cert/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt
new file mode 100755
index 000000000..bc5a1299b
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/description.txt
@@ -0,0 +1,6 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
+is successfully set up. The authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec connection, the updown script automatically
+inserts iptables-based firewall rules that let pass the protected traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat
new file mode 100755
index 000000000..8b103d087
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/evaltest.dat
@@ -0,0 +1,6 @@
+
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c1e33eca3
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0e94678e4
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,31 @@
+connections {
+
+ host-host {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat
new file mode 100755
index 000000000..3d7248cc8
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike host-host 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat
new file mode 100755
index 000000000..b42dce654
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection host-host
+sun::expect-connection host-hhost
+moon::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/swanctl/host2host-transport/test.conf
new file mode 100755
index 000000000..52d886dcc
--- /dev/null
+++ b/testing/tests/swanctl/host2host-transport/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
index 130a0b918..5133e426f 100755
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index 51ac523b8..36ab6c119 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/swanctl/ip-two-pools-db/description.txt
new file mode 100755
index 000000000..4bad7b1b7
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/description.txt
@@ -0,0 +1,14 @@
+The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
+from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
+[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
+IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
+the <b>eth1</b> (PH_IP_MOON1) interface.
+Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
+respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
+respectively.
+<p>
+By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
+spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
+demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
+of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
new file mode 100755
index 000000000..16dc23669
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat
@@ -0,0 +1,35 @@
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7dfef4e38
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.10
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..fca6efb2e
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1f0b361ec
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..fba531a52
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/db.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+ database = sqlite:///etc/db.d/ipsec.db
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d719d7aad
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+ ext {
+ local_addrs = 192.168.0.1
+ pools = extpool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ ext {
+ local_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ int {
+ local_addrs = 10.1.0.1
+ pools = intpool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ int {
+ local_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
new file mode 100755
index 000000000..f021e9c96
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..906b7bdea
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.20
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.3.0.0/16,10.4.0.0/16
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
new file mode 100755
index 000000000..cbb2c2498
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/posttest.dat
@@ -0,0 +1,18 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::ipsec pool --del extpool 2> /dev/null
+moon::ipsec pool --del intpool 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+
diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
new file mode 100755
index 000000000..7229eee7c
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools-db/pretest.dat
@@ -0,0 +1,30 @@
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+moon::ipsec pool --statusattr 2> /dev/null
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+moon::expect-connection int
+moon::expect-connection ext
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
+venus::expect-connection home
+venus::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/swanctl/ip-two-pools-db/test.conf
index 05d40f98d..9394e0289 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf
+++ b/testing/tests/swanctl/ip-two-pools-db/test.conf
@@ -5,7 +5,7 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
@@ -13,20 +13,16 @@ DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="alice venus carol dave"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
+IPSECHOSTS="alice venus moon carol dave"
# Guest instances on which databases are used
#
-DBHOSTS="alice"
+DBHOSTS="moon"
# charon controlled by swanctl
#
diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt
new file mode 100755
index 000000000..df9f54a66
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
+connecting to the <b>eth1</b> (10.1.0.1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat
new file mode 100755
index 000000000..cb3b60f4d
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/evaltest.dat
@@ -0,0 +1,18 @@
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..509fe678f
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 10.1.0.10
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..60b216e62
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cf4e54024
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+ rw1 {
+ local_addrs = 192.168.0.1
+ pools = pool1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw1 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ rw2 {
+ local_addrs = 10.1.0.1
+ pools = pool2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw2 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ pool1 {
+ addrs = 10.3.0.0/28
+ }
+ pool2 {
+ addrs = 10.4.0.0/28
+ }
+}
diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat
new file mode 100755
index 000000000..0cfeeb120
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat
new file mode 100755
index 000000000..95a32febc
--- /dev/null
+++ b/testing/tests/swanctl/ip-two-pools/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+alice::expect-connection home
+alice::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/swanctl/ip-two-pools/test.conf
index f29298850..5f67b7ed5 100644..100755
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/swanctl/ip-two-pools/test.conf
@@ -9,13 +9,17 @@ VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c-w.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="carol alice"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..aa6f98076
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
deleted file mode 100644
index 10c26aa15..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
+++ /dev/null
@@ -1,3 +0,0 @@
-sim_files {
- simtriplets = "/etc/freeradius/triplets.dat"
-}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index 91425f812..51b64a74b 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -2,8 +2,19 @@ authorize {
preprocess
chap
mschap
- sim_files
+ files
suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
eap {
ok = return
}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
deleted file mode 100644
index aaabab89e..000000000
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..aa6f98076 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
index 010a4f9c4..93b379348 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,4 +1,4 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
+alice::killall freeradius
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
index 57d39a5e6..10150f03c 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,10 +1,6 @@
-alice::cat /etc/freeradius/clients.conf
-alice::cat /etc/freeradius/eap.conf
-alice::cat /etc/freeradius/proxy.conf
-alice::cat /etc/freeradius/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
dave::cat /etc/ipsec.d/triplets.dat
-alice::radiusd
+alice::freeradius
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/swanctl/nat-rw-psk/description.txt
new file mode 100644
index 000000000..7754c7f39
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
new file mode 100644
index 000000000..cd171e8c9
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2d601c122
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.10
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 10.1.0.10
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.2
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-sun {
+ id = 192.168.0.2
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f7a542d4d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+ nat-t {
+ local_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 192.168.0.2
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-alice {
+ id = 10.1.0.10
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+ ike-venus {
+ id = 10.1.0.20
+ secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..654489dfc
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.20
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = 10.1.0.20
+ }
+ remote {
+ auth = psk
+ id = 192.168.0.2
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-sun {
+ id = 192.168.0.2
+ secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
+ }
+}
+
diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/swanctl/nat-rw-psk/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/swanctl/nat-rw-psk/pretest.dat
new file mode 100644
index 000000000..906c5b006
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/pretest.dat
@@ -0,0 +1,16 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/swanctl/nat-rw-psk/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/swanctl/nat-rw/description.txt
new file mode 100644
index 000000000..1ee91b74d
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Authentication is based on X.509 certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat
new file mode 100644
index 000000000..ae6aaed33
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/evaltest.dat
@@ -0,0 +1,14 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon:: sleep 6::no output expected::NO
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..61f769637
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.10
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7625e5066
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..637260de8
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ nat-t {
+ local_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..fd9bf8c7c
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0ea7c4055
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ nat-t {
+ local_addrs = 10.1.0.20
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/swanctl/nat-rw/posttest.dat
new file mode 100644
index 000000000..a41653640
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/posttest.dat
@@ -0,0 +1,7 @@
+sun::systemctl stop strongswan-swanctl
+alice::systemctl stop strongswan-swanctl
+venus::systemctl stop strongswan-swanctl
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/swanctl/nat-rw/pretest.dat
new file mode 100644
index 000000000..63c9d359e
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::systemctl start strongswan-swanctl
+alice::systemctl start strongswan-swanctl
+venus::systemctl start strongswan-swanctl
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t
+venus::expect-connection nat-t
+venus::swanctl --initiate --child nat-t
diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/swanctl/nat-rw/test.conf
new file mode 100644
index 000000000..ecc95b837
--- /dev/null
+++ b/testing/tests/swanctl/nat-rw/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/swanctl/net2net-psk/description.txt
index bd680b57a..e064a99de 100644..100755
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
+++ b/testing/tests/swanctl/net2net-psk/description.txt
@@ -1,6 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>Preshared Keys</b> (PSK).
+<p/>
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat
new file mode 100755
index 000000000..4c56d5299
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5e2480ee2
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,55 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-1 {
+ id-1 = moon.strongswan.org
+ secret = 0x45a30759df97dc26a15b88ff
+ }
+ ike-2 {
+ id-2 = sun.strongswan.org
+ secret = "This is a strong password"
+ }
+ ike-3 {
+ id-3a = moon.strongswan.org
+ id-3b =sun.strongswan.org
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+ ike-4 {
+ secret = 'My "home" is my "castle"!'
+ }
+ ike-5 {
+ id-5 = 192.168.0.1
+ secret = "Andi's home"
+ }
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100755
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b6fc72b7a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+ ike-1 {
+ id-moon = moon.strongswan.org
+ id-sun =sun.strongswan.org
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat
new file mode 100755
index 000000000..755f0e5f8
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/posttest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat
new file mode 100755
index 000000000..e82d539fb
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/swanctl/net2net-psk/test.conf
new file mode 100755
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-psk/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
index a62fda968..c4106c678 100755
--- a/testing/tests/swanctl/rw-cert-pss/evaltest.dat
+++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES
-moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+dave ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES
+moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt
index 6af7a39ae..f190c0752 100755
--- a/testing/tests/swanctl/rw-cert/description.txt
+++ b/testing/tests/swanctl/rw-cert/description.txt
@@ -1,5 +1,6 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<p/>
Upon the successful establishment of the IPsec tunnels, the updown script
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
new file mode 100644
index 000000000..c39829dd5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt
@@ -0,0 +1,11 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
+<p/>
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
+uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a655543f9
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4aabbaba1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1582b2b01
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d68d1f474
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-aka
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
index 4a5fc470f..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
new file mode 100644
index 000000000..0138e35f5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method used in UMTS, but here a secret defined in <b>swanctl.conf</b>
+is used instead of a USIM/(R)UIM device.
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
new file mode 100644
index 000000000..0d4f74197
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..e3d6e50c0 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = "Ar3etTnp01qlpOgb"
}
}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d4fc3583
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..609309f05
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-aka
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp01qlpOgb"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
index c3f38054b..97b89cb61 100644
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol dave winnetou"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
@@ -18,4 +18,8 @@ TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
new file mode 100644
index 000000000..42db2e199
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+In addition to her IKEv2 identity<b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
new file mode 100644
index 000000000..3080ec15a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d2cc789b3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..590a2b7cf
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..9a59fc15e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
index 2069e4aa5..0d9e9f3d4 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/test.conf
+++ b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf
@@ -5,20 +5,20 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS=
+TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="carol dave"
+IPSECHOSTS="moon carol"
# Guest instances on which FreeRadius is started
#
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
new file mode 100644
index 000000000..f0f241dc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>. \ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..09a78be83
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = md5
+ md5 {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
index ff58c7c9a..158c26b72 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,33 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = carol@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
index 28b32b74c..ad6d62896 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -1,27 +1,27 @@
connections {
- rw {
+ rw-eap {
local_addrs = 192.168.0.1
local {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
certs = moonCert.pem
+ id = moon.strongswan.org
}
remote {
auth = eap-radius
id = *@strongswan.org
}
children {
- rw {
- local_ts = 10.1.0.0/16
+ net {
+ local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..84ba602c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
new file mode 100644
index 000000000..08fd89b65
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
+<i>Extensible Authentication Protocol</i> to authenticate herself.
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
new file mode 100644
index 000000000..c0026af4f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..158c26b72
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e57629f2e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..13816d778
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-md5
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
new file mode 100644
index 000000000..95afc08b5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
+<p/>
+In addition to her IKEv2 identity which defaults to her IP address,
+roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
new file mode 100644
index 000000000..a1c2d4e88
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol
+moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
index 1516ad726..1b5c5d99f 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -6,8 +6,7 @@ connections {
local {
auth = eap
- aaa_id = aaa.strongswan.org
- id = carol@strongswan.org
+ eap_id = carol
}
remote {
auth = pubkey
@@ -18,18 +17,18 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-ecp256
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d9210aeb5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+}
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..d7c1f68ce
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-mschapv2
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave
+ secret = W7R0g3do
+ }
+}
+
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
index d5f0b267a..7f9ade88a 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
+++ b/testing/tests/swanctl/rw-eap-peap-md5/description.txt
@@ -1,10 +1,10 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
authentication) with the gateway being authenticated by a server certificate during the
-EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
-authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP).
<p/>
-With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
-initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request
right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
new file mode 100644
index 000000000..20ec1561e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..db82791b8 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = carol@strongswan.org
}
remote {
- auth = eap-ttls
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..733ab2afb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = dave@strongswan.org
}
remote {
- auth = eap-ttls
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4b5445999
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-peap {
+ phase2_method = md5
+ phase2_piggyback = yes
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-peap
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-peap
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat
@@ -1,19 +1,12 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-md5/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
new file mode 100644
index 000000000..ef2d24f2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP).
+<p/>
+Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client
+<b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
new file mode 100644
index 000000000..dc56ba850
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..db82791b8
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..6f227cc3a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..7f3b8104b 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = eap-peap
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ send_certreq = no
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3b498d93b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-peap {
+ phase2_method = mschapv2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0bb3bfd28
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-peap
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-peap
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
index 199873ba1..199873ba1 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
index 79340af29..9ae476e64 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat
@@ -1,19 +1,12 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
moon::systemctl start strongswan-swanctl
carol::systemctl start strongswan-swanctl
dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
+moon::expect-connection rw-eap
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
new file mode 100644
index 000000000..004068226
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-PEAP</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
new file mode 100644
index 000000000..291e249da
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..0ae8befe4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = peap
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ peap {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..11d3e2acd 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,7 +1,7 @@
eap {
md5 {
}
- default_eap_type = ttls
+ default_eap_type = peap
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
@@ -10,16 +10,9 @@ eap {
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
- ttls {
+ peap {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
}
}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..cb7743f82
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
index 07b35dcb9..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-ecp256
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat
@@ -1,8 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
index 8d7f51449..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/swanctl/rw-eap-peap-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
new file mode 100644
index 000000000..41abb363c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets. In addition to her IKEv2 identity
+<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
+identity <b>228060123456001</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
new file mode 100644
index 000000000..038a2c1e1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2057b5193
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,58 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..1dc666992
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,53 @@
+authorize {
+ files
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..1c281a974
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..11ae80c1e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2576209ef
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id=228060123456001
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fa363c345
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..682136230
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
new file mode 100644
index 000000000..5d875ee77
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
new file mode 100644
index 000000000..26de3c982
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway does not send an AUTH payload thus signalling
+a mutual <b>EAP-only</b> authentication.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
new file mode 100644
index 000000000..3d3359775
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+ preprocess
+ chap
+ mschap
+ files
+ suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+ unix
+ files
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..a73f3003c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b1ffc462
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..09a2a5358
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
index 0d96563c1..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat
@@ -1,8 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
index 8d7f51449..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
new file mode 100644
index 000000000..5cb1bacdc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
+<p/>
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets.
+<p/>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
new file mode 100644
index 000000000..476e4e1fc
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..71fa4f18c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ files
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+ default_eap_type = sim
+ sim {
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..51b64a74b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,72 @@
+authorize {
+ preprocess
+ chap
+ mschap
+ files
+ suffix
+ update reply {
+ EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}"
+ EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}"
+ EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}"
+ EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}"
+ EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}"
+ EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}"
+ EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}"
+ EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}"
+ EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}"
+ }
+ eap {
+ ok = return
+ }
+ unix
+ files
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..a74267d30
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
+dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 3e9a644eb..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,6 +1,3 @@
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e573c9933
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e11667564
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
index ab96df0ed..96b011090 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat
@@ -1,9 +1,7 @@
carol::systemctl stop strongswan-swanctl
dave::systemctl stop strongswan-swanctl
moon::systemctl stop strongswan-swanctl
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
-carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
new file mode 100644
index 000000000..66c829747
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat
@@ -0,0 +1,16 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
index f6db73912..93f23f1d6 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-sim-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
@@ -22,7 +22,7 @@ IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
# charon controlled by swanctl
#
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
new file mode 100644
index 000000000..4401e679f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
+method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
+instead of a physical SIM card.
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
new file mode 100644
index 000000000..1e967896e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1433bb561
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bcd8ef0e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6028df452
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-sim
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
new file mode 100644
index 000000000..8cc1c4dc5
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/swanctl/rw-eap-tls-only/description.txt
index e25da6935..b3e0450a4 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
+++ b/testing/tests/swanctl/rw-eap-tls-only/description.txt
@@ -1,5 +1,4 @@
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
(without a separate IKEv2 authentication), using TLS client and server certificates,
-respectively. Elliptic curve cryptography is used by both the IKE and TLS
-protocols.
+respectively.
diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..52dc51a62
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c25dc8398
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..cc3e77095
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = carolCert.pem
+ }
+ remote {
+ auth = eap-tls
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c69b0d77b
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+} \ No newline at end of file
diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..51150c77c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-tls
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..2b00bea8e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
index 1578796a1..90445d430 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat
@@ -1,7 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
moon::expect-connection rw-eap
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..97b89cb61
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-only/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..d635ae33e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates. The gateway forwards all EAP messages to the
+AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..e3b7cf39a
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..e8670dbb7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,16 @@
+eap {
+ default_eap_type = tls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ tls {
+ tls = tls-common
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..060702784
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,55 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ eap {
+ ok = return
+ }
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..92f96ad66 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,8 +1,8 @@
eap {
- md5 {
- }
- default_eap_type = ttls
+ default_eap_type = tls
tls {
+ certdir = /etc/raddb/certs
+ cadir = /etc/raddb/certs
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
@@ -10,16 +10,4 @@ eap {
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
- ttls {
- default_eap_type = md5
- use_tunneled_reply = yes
- virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
- }
-}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..18ebf9e9d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,41 @@
+authorize {
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..585019e47
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication = no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..58786ba87
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ certs = carolCert.pem
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
index 3d99c0197..1eb755354 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -22,11 +22,11 @@
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-# allow traffic tunnelled via IPsec
--A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
--A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
COMMIT
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ebe5ffab7
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..f32a56960
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+carol::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..299fccfeb
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..0d9e9f3d4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-tls-radius/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..19c00531e
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
index 2285608b8..00282ab2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat
@@ -10,10 +10,8 @@ dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed:
moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
index 0f266dd93..184aaa5d3 100644..100755
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = carol@strongswan.org
}
remote {
auth = eap-ttls
- id = moon.strongswan.org
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-carol {
id = carol@strongswan.org
- secret = "Ar3etTnp"
+ secret = Ar3etTnp
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f39a874a4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
index 989ab88c7..a77bd0079 100644..100755
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
- auth = eap-ttls
+ auth = eap
id = dave@strongswan.org
}
remote {
auth = eap-ttls
- id = moon.strongswan.org
+ id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..860fbf3ac
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5ee0c57a3
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,37 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
+++ b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..9ae476e64
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-only/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..479350c2f
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
+<p/>
+Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via
+gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509
+AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password
+and succeeds whereas <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..df4f0d550
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,17 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
new file mode 100644
index 000000000..7450c71c4
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap
@@ -0,0 +1,21 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+
+ tls-config tls-common {
+ private_key_file = ${certdir}/aaaKey.pem
+ certificate_file = ${certdir}/aaaCert.pem
+ ca_file = ${cadir}/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = ${certdir}/dh
+ random_file = ${certdir}/random
+ }
+
+ ttls {
+ tls = tls-common
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
new file mode 100644
index 000000000..2bbe1d730
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default
@@ -0,0 +1,59 @@
+server default {
+
+listen {
+ type = auth
+ ipaddr = 10.1.0.10
+ port = 0
+}
+
+authorize {
+ preprocess
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
new file mode 100644
index 000000000..6ce9d6391
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel
@@ -0,0 +1,38 @@
+server inner-tunnel {
+
+authorize {
+ filter_username
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ expiration
+ logintime
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ update outer.session-state {
+ &Module-Failure-Message := &request:Module-Failure-Message
+ }
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..c91cd40fb 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
@@ -14,12 +14,5 @@ eap {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
}
}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
index dd0825858..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..7ffdd1f4c
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d90ccc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
index 5af2098b6..97c0b7057 100644..100755
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -2,34 +2,34 @@ connections {
home {
local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.1
local {
auth = eap
- aaa_id = aaa.strongswan.org
id = dave@strongswan.org
+ aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
}
remote {
- auth = pubkey
- id = moon.strongswan.org
+ auth = pubkey
+ id = moon.strongswan.org
}
children {
home {
- remote_ts = 10.1.0.0/16
+ remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
secrets {
- eap {
+ eap-dave {
id = dave@strongswan.org
- secret = "W7R0g3do"
+ secret = UgaM65Va
}
}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bf614014d
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ad6d62896
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..96b011090
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
+alice::killall freeradius
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..ff5f6e164
--- /dev/null
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
index 61f2312af..0e5512b65 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf
@@ -5,11 +5,11 @@
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
@@ -22,7 +22,8 @@ IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
-RADIUSHOSTS=
+RADIUSHOSTS="alice"
+
# charon controlled by swanctl
#
SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt
deleted file mode 100644
index 8ce1157e9..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
deleted file mode 100644
index 0b7655bdd..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
-#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index b094a3aaa..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
-#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index aacee2221..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- phase2_tnc = yes
- phase2_tnc_method = tnc
- }
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap-carol {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
- eap-dave {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP 25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP 80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP 631 = whatever
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index 140caa98f..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
-#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt
deleted file mode 100644
index 67b1a2a34..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
-is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
-<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
deleted file mode 100644
index b2fc61949..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 305a9d1e6..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = allow
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5d17eb638..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = none
- }
- imc-scanner {
- push_info = no
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
deleted file mode 100644
index efddc609e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
deleted file mode 100644
index d5729dd7b..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between the OS and Attestation IMC and the Attestation IMV is based on the
- <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
deleted file mode 100644
index 588ddf469..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
deleted file mode 100644
index d87b5e7f9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-)
-SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
-FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 10, 1
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 16, 2, 0
-);
-
-DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index a3f4ca12c..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce openssl pubkey sqlite
- debug_level = 3
- database = sqlite:///etc/db.d/config.db
- policy_script = /usr/local/libexec/ipsec/imv_policy_manager
- assessment_result = no
-}
-
-attest {
- database = sqlite:///etc/db.d/config.db
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
deleted file mode 100644
index b5ac8c178..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
-IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index a534ac66e..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 469e81156..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
- retransmit_tries = 5
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
deleted file mode 100644
index 15dc93a0a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index cbaf67c89..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 096eb7b5a..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- certs = moonCert.pem
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-ecp256
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-ecp256
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-ecp256
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
deleted file mode 100644
index 7d0dfa385..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ /dev/null
@@ -1,28 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::echo 0 > /proc/sys/net/ipv4/ip_forward
-dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
-alice::ipsec attest --sessions
-alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt
deleted file mode 100644
index 4017c6eda..000000000
--- a/testing/tests/tnc/tnccs-11-radius/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
deleted file mode 100644
index cbafc1303..000000000
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
- md5 {
- }
- default_eap_type = ttls
- tls {
- private_key_file = /etc/raddb/certs/aaaKey.pem
- certificate_file = /etc/raddb/certs/aaaCert.pem
- CA_file = /etc/raddb/certs/strongswanCert.pem
- cipher_list = "DEFAULT"
- dh_file = /etc/raddb/certs/dh
- random_file = /etc/raddb/certs/random
- }
- ttls {
- default_eap_type = md5
- use_tunneled_reply = yes
- virtual_server = "inner-tunnel"
- tnc_virtual_server = "inner-tunnel-second"
- }
-}
-
-eap eap_tnc {
- default_eap_type = tnc
- tnc {
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
- suffix
- eap {
- ok = return
- }
- files
-}
-
-authenticate {
- eap
-}
-
-session {
- radutmp
-}
-
-post-auth {
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-pre-proxy {
-}
-
-post-proxy {
- eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 1ca6c3d10..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = allow
- }
- }
-}
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 9df983c80..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
-
- multiple_authentication=no
-
- syslog {
- daemon {
- tnc = 3
- imc = 3
- }
- }
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
- }
- }
-}
-
-libimcv {
- plugins {
- imc-test {
- command = isolate
- }
- imc-scanner {
- push_info = no
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
deleted file mode 100644
index 6166552f5..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c9dd6e1f..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
-
- multiple_authentication=no
-
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = 10.1.0.10
- filter_id = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 3caad0c66..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- certs = moonCert.pem
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = pubkey
- id = moon.strongswan.org
- }
- remote {
- auth = eap-radius
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
deleted file mode 100644
index bb2ce93b3..000000000
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ /dev/null
@@ -1,22 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home
-dave::expect-connection home
-dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt
deleted file mode 100644
index 5d0155382..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network
-via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS
-server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel
-each via <b>moon</b> to the <a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
-by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by switch <b>moon</b> to the "allow" and "isolate" VLANs, respectively.
diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
deleted file mode 100644
index 2d43b3c7b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES
-dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
- suffix
- eap {
- ok = return
- }
- files
-}
-
-authenticate {
- eap
-}
-
-session {
- radutmp
-}
-
-post-auth {
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-pre-proxy {
-}
-
-post-proxy {
- eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
deleted file mode 100644
index c5bde6a9e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
- eap_tnc {
- ok = return
- }
-}
-
-authenticate {
- eap_tnc
-}
-
-session {
- radutmp
-}
-
-post-auth {
- if (control:TNC-Status == "Access") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "allow"
- }
- }
- elsif (control:TNC-Status == "Isolate") {
- update reply {
- Tunnel-Type := ESP
- Filter-Id := "isolate"
- }
- }
-
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 7622801ab..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- assessment_result = no
- plugins {
- imv-test {
- rounds = 1
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
deleted file mode 100644
index 2bdc6e4de..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
deleted file mode 100644
index da732f68b..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 965752b5e..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- plugins {
- imc-test {
- command = allow
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
deleted file mode 100644
index 92d84f570..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
- ssid="eap_ttls"
- scan_ssid=0
- key_mgmt=IEEE8021X
- eap=TTLS
- identity="carol"
- password="Ar3etTnp"
- ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
- id_str=""
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index ca1f7d9a5..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
- load = random nonce sha1 sha2 md5 gmp pubkey x509
- debug_level = 3
- plugins {
- imc-test {
- command = isolate
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
deleted file mode 100644
index 00ef0f516..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1 +0,0 @@
-# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
deleted file mode 100644
index b4288fd53..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
deleted file mode 100644
index 37a343df6..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf
+++ /dev/null
@@ -1,10 +0,0 @@
- network={
- ssid="eap_ttls"
- scan_ssid=0
- key_mgmt=IEEE8021X
- eap=TTLS
- identity="dave"
- password="W7R0g3do"
- ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem"
- id_str=""
- }
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
deleted file mode 100644
index c84fcbd91..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf
+++ /dev/null
@@ -1,1127 +0,0 @@
-##### hostapd configuration file ##############################################
-# Empty lines and lines starting with # are ignored
-
-# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
-# management frames); ath0 for madwifi
-interface=eth0
-
-# In case of madwifi, atheros, and nl80211 driver interfaces, an additional
-# configuration parameter, bridge, may be used to notify hostapd if the
-# interface is included in a bridge. This parameter is not used with Host AP
-# driver. If the bridge parameter is not set, the drivers will automatically
-# figure out the bridge interface (assuming sysfs is enabled and mounted to
-# /sys) and this parameter may not be needed.
-#
-# For nl80211, this parameter can be used to request the AP interface to be
-# added to the bridge automatically (brctl may refuse to do this before hostapd
-# has been started to change the interface mode). If needed, the bridge
-# interface is also created.
-#bridge=br0
-
-# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
-# default: hostap). nl80211 is used with all Linux mac80211 drivers.
-# Use driver=none if building hostapd as a standalone RADIUS server that does
-# not control any wireless/wired driver.
-driver=wired
-
-# hostapd event logger configuration
-#
-# Two output method: syslog and stdout (only usable if not forking to
-# background).
-#
-# Module bitfield (ORed bitfield of modules that will be logged; -1 = all
-# modules):
-# bit 0 (1) = IEEE 802.11
-# bit 1 (2) = IEEE 802.1X
-# bit 2 (4) = RADIUS
-# bit 3 (8) = WPA
-# bit 4 (16) = driver interface
-# bit 5 (32) = IAPP
-# bit 6 (64) = MLME
-#
-# Levels (minimum value for logged events):
-# 0 = verbose debugging
-# 1 = debugging
-# 2 = informational messages
-# 3 = notification
-# 4 = warning
-#
-logger_syslog=-1
-logger_syslog_level=2
-logger_stdout=-1
-logger_stdout_level=0
-
-# Dump file for state information (on SIGUSR1)
-dump_file=/tmp/hostapd.dump
-
-# Interface for separate control program. If this is specified, hostapd
-# will create this directory and a UNIX domain socket for listening to requests
-# from external programs (CLI/GUI, etc.) for status information and
-# configuration. The socket file will be named based on the interface name, so
-# multiple hostapd processes/interfaces can be run at the same time if more
-# than one interface is used.
-# /var/run/hostapd is the recommended directory for sockets and by default,
-# hostapd_cli will use it when trying to connect with hostapd.
-ctrl_interface=/var/run/hostapd
-
-# Access control for the control interface can be configured by setting the
-# directory to allow only members of a group to use sockets. This way, it is
-# possible to run hostapd as root (since it needs to change network
-# configuration and open raw sockets) and still allow GUI/CLI components to be
-# run as non-root users. However, since the control interface can be used to
-# change the network configuration, this access needs to be protected in many
-# cases. By default, hostapd is configured to use gid 0 (root). If you
-# want to allow non-root users to use the contron interface, add a new group
-# and change this value to match with that group. Add users that should have
-# control interface access to this group.
-#
-# This variable can be a group name or gid.
-#ctrl_interface_group=wheel
-ctrl_interface_group=0
-
-
-##### IEEE 802.11 related configuration #######################################
-
-# SSID to be used in IEEE 802.11 management frames
-#ssid=test
-
-# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
-# Set as needed to indicate country in which device is operating.
-# This can limit available channels and transmit power.
-#country_code=US
-
-# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
-# channels and transmit power levels based on the regulatory limits. The
-# country_code setting must be configured with the correct country for
-# IEEE 802.11d functions.
-# (default: 0 = disabled)
-#ieee80211d=1
-
-# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
-# Default: IEEE 802.11b
-hw_mode=g
-
-# Channel number (IEEE 802.11)
-# (default: 0, i.e., not set)
-# Please note that some drivers do not use this value from hostapd and the
-# channel will need to be configured separately with iwconfig.
-channel=1
-
-# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
-beacon_int=100
-
-# DTIM (delivery traffic information message) period (range 1..255):
-# number of beacons between DTIMs (1 = every beacon includes DTIM element)
-# (default: 2)
-dtim_period=2
-
-# Maximum number of stations allowed in station table. New stations will be
-# rejected after the station table is full. IEEE 802.11 has a limit of 2007
-# different association IDs, so this number should not be larger than that.
-# (default: 2007)
-max_num_sta=255
-
-# RTS/CTS threshold; 2347 = disabled (default); range 0..2347
-# If this field is not included in hostapd.conf, hostapd will not control
-# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it.
-rts_threshold=2347
-
-# Fragmentation threshold; 2346 = disabled (default); range 256..2346
-# If this field is not included in hostapd.conf, hostapd will not control
-# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set
-# it.
-fragm_threshold=2346
-
-# Rate configuration
-# Default is to enable all rates supported by the hardware. This configuration
-# item allows this list be filtered so that only the listed rates will be left
-# in the list. If the list is empty, all rates are used. This list can have
-# entries that are not in the list of rates the hardware supports (such entries
-# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
-# If this item is present, at least one rate have to be matching with the rates
-# hardware supports.
-# default: use the most common supported rate setting for the selected
-# hw_mode (i.e., this line can be removed from configuration file in most
-# cases)
-#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
-
-# Basic rate set configuration
-# List of rates (in 100 kbps) that are included in the basic rate set.
-# If this item is not included, usually reasonable default set is used.
-#basic_rates=10 20
-#basic_rates=10 20 55 110
-#basic_rates=60 120 240
-
-# Short Preamble
-# This parameter can be used to enable optional use of short preamble for
-# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance.
-# This applies only to IEEE 802.11b-compatible networks and this should only be
-# enabled if the local hardware supports use of short preamble. If any of the
-# associated STAs do not support short preamble, use of short preamble will be
-# disabled (and enabled when such STAs disassociate) dynamically.
-# 0 = do not allow use of short preamble (default)
-# 1 = allow use of short preamble
-#preamble=1
-
-# Station MAC address -based authentication
-# Please note that this kind of access control requires a driver that uses
-# hostapd to take care of management frame processing and as such, this can be
-# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
-# 0 = accept unless in deny list
-# 1 = deny unless in accept list
-# 2 = use external RADIUS server (accept/deny lists are searched first)
-macaddr_acl=0
-
-# Accept/deny lists are read from separate files (containing list of
-# MAC addresses, one per line). Use absolute path name to make sure that the
-# files can be read on SIGHUP configuration reloads.
-#accept_mac_file=/etc/hostapd.accept
-#deny_mac_file=/etc/hostapd.deny
-
-# IEEE 802.11 specifies two authentication algorithms. hostapd can be
-# configured to allow both of these or only one. Open system authentication
-# should be used with IEEE 802.1X.
-# Bit fields of allowed authentication algorithms:
-# bit 0 = Open System Authentication
-# bit 1 = Shared Key Authentication (requires WEP)
-auth_algs=3
-
-# Send empty SSID in beacons and ignore probe request frames that do not
-# specify full SSID, i.e., require stations to know SSID.
-# default: disabled (0)
-# 1 = send empty (length=0) SSID in beacon and ignore probe request for
-# broadcast SSID
-# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
-# with some clients that do not support empty SSID) and ignore probe
-# requests for broadcast SSID
-ignore_broadcast_ssid=0
-
-# TX queue parameters (EDCF / bursting)
-# tx_queue_<queue name>_<param>
-# queues: data0, data1, data2, data3, after_beacon, beacon
-# (data0 is the highest priority queue)
-# parameters:
-# aifs: AIFS (default 2)
-# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
-# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
-# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
-# bursting
-#
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# These parameters are used by the access point when transmitting frames
-# to the clients.
-#
-# Low priority / AC_BK = background
-#tx_queue_data3_aifs=7
-#tx_queue_data3_cwmin=15
-#tx_queue_data3_cwmax=1023
-#tx_queue_data3_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
-#
-# Normal priority / AC_BE = best effort
-#tx_queue_data2_aifs=3
-#tx_queue_data2_cwmin=15
-#tx_queue_data2_cwmax=63
-#tx_queue_data2_burst=0
-# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
-#
-# High priority / AC_VI = video
-#tx_queue_data1_aifs=1
-#tx_queue_data1_cwmin=7
-#tx_queue_data1_cwmax=15
-#tx_queue_data1_burst=3.0
-# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
-#
-# Highest priority / AC_VO = voice
-#tx_queue_data0_aifs=1
-#tx_queue_data0_cwmin=3
-#tx_queue_data0_cwmax=7
-#tx_queue_data0_burst=1.5
-# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
-
-# 802.1D Tag (= UP) to AC mappings
-# WMM specifies following mapping of data frames to different ACs. This mapping
-# can be configured using Linux QoS/tc and sch_pktpri.o module.
-# 802.1D Tag 802.1D Designation Access Category WMM Designation
-# 1 BK AC_BK Background
-# 2 - AC_BK Background
-# 0 BE AC_BE Best Effort
-# 3 EE AC_BE Best Effort
-# 4 CL AC_VI Video
-# 5 VI AC_VI Video
-# 6 VO AC_VO Voice
-# 7 NC AC_VO Voice
-# Data frames with no priority information: AC_BE
-# Management frames: AC_VO
-# PS-Poll frames: AC_BE
-
-# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
-# for 802.11a or 802.11g networks
-# These parameters are sent to WMM clients when they associate.
-# The parameters will be used by WMM clients for frames transmitted to the
-# access point.
-#
-# note - txop_limit is in units of 32microseconds
-# note - acm is admission control mandatory flag. 0 = admission control not
-# required, 1 = mandatory
-# note - here cwMin and cmMax are in exponent form. the actual cw value used
-# will be (2^n)-1 where n is the value given here
-#
-wmm_enabled=1
-#
-# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
-# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
-#uapsd_advertisement_enabled=1
-#
-# Low priority / AC_BK = background
-wmm_ac_bk_cwmin=4
-wmm_ac_bk_cwmax=10
-wmm_ac_bk_aifs=7
-wmm_ac_bk_txop_limit=0
-wmm_ac_bk_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
-#
-# Normal priority / AC_BE = best effort
-wmm_ac_be_aifs=3
-wmm_ac_be_cwmin=4
-wmm_ac_be_cwmax=10
-wmm_ac_be_txop_limit=0
-wmm_ac_be_acm=0
-# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
-#
-# High priority / AC_VI = video
-wmm_ac_vi_aifs=2
-wmm_ac_vi_cwmin=3
-wmm_ac_vi_cwmax=4
-wmm_ac_vi_txop_limit=94
-wmm_ac_vi_acm=0
-# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
-#
-# Highest priority / AC_VO = voice
-wmm_ac_vo_aifs=2
-wmm_ac_vo_cwmin=2
-wmm_ac_vo_cwmax=3
-wmm_ac_vo_txop_limit=47
-wmm_ac_vo_acm=0
-# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
-
-# Static WEP key configuration
-#
-# The key number to use when transmitting.
-# It must be between 0 and 3, and the corresponding key must be set.
-# default: not set
-#wep_default_key=0
-# The WEP keys to use.
-# A key may be a quoted string or unquoted hexadecimal digits.
-# The key length should be 5, 13, or 16 characters, or 10, 26, or 32
-# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
-# 128-bit (152-bit) WEP is used.
-# Only the default key must be supplied; the others are optional.
-# default: not set
-#wep_key0=123456789a
-#wep_key1="vwxyz"
-#wep_key2=0102030405060708090a0b0c0d
-#wep_key3=".2.4.6.8.0.23"
-
-# Station inactivity limit
-#
-# If a station does not send anything in ap_max_inactivity seconds, an
-# empty data frame is sent to it in order to verify whether it is
-# still in range. If this frame is not ACKed, the station will be
-# disassociated and then deauthenticated. This feature is used to
-# clear station table of old entries when the STAs move out of the
-# range.
-#
-# The station can associate again with the AP if it is still in range;
-# this inactivity poll is just used as a nicer way of verifying
-# inactivity; i.e., client will not report broken connection because
-# disassociation frame is not sent immediately without first polling
-# the STA with a data frame.
-# default: 300 (i.e., 5 minutes)
-ap_max_inactivity=30
-
-# Disassociate stations based on excessive transmission failures or other
-# indications of connection loss. This depends on the driver capabilities and
-# may not be available with all drivers.
-#disassoc_low_ack=1
-
-# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to
-# remain asleep). Default: 65535 (no limit apart from field size)
-#max_listen_interval=100
-
-# WDS (4-address frame) mode with per-station virtual interfaces
-# (only supported with driver=nl80211)
-# This mode allows associated stations to use 4-address frames to allow layer 2
-# bridging to be used.
-#wds_sta=1
-
-# If bridge parameter is set, the WDS STA interface will be added to the same
-# bridge by default. This can be overridden with the wds_bridge parameter to
-# use a separate bridge.
-#wds_bridge=wds-br0
-
-# Client isolation can be used to prevent low-level bridging of frames between
-# associated stations in the BSS. By default, this bridging is allowed.
-#ap_isolate=1
-
-##### IEEE 802.11n related configuration ######################################
-
-# ieee80211n: Whether IEEE 802.11n (HT) is enabled
-# 0 = disabled (default)
-# 1 = enabled
-# Note: You will also need to enable WMM for full HT functionality.
-#ieee80211n=1
-
-# ht_capab: HT capabilities (list of flags)
-# LDPC coding capability: [LDPC] = supported
-# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
-# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz
-# with secondary channel below the primary channel
-# (20 MHz only if neither is set)
-# Note: There are limits on which channels can be used with HT40- and
-# HT40+. Following table shows the channels that may be available for
-# HT40- and HT40+ use per IEEE 802.11n Annex J:
-# freq HT40- HT40+
-# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
-# 5 GHz 40,48,56,64 36,44,52,60
-# (depending on the location, not all of these channels may be available
-# for use)
-# Please note that 40 MHz channels may switch their primary and secondary
-# channels if needed or creation of 40 MHz channel maybe rejected based
-# on overlapping BSSes. These changes are done automatically when hostapd
-# is setting up the 40 MHz channel.
-# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC]
-# (SMPS disabled if neither is set)
-# HT-greenfield: [GF] (disabled if not set)
-# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
-# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
-# Tx STBC: [TX-STBC] (disabled if not set)
-# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
-# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
-# disabled if none of these set
-# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
-# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
-# set)
-# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
-# PSMP support: [PSMP] (disabled if not set)
-# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
-#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
-
-# Require stations to support HT PHY (reject association if they do not)
-#require_ht=1
-
-##### IEEE 802.1X-2004 related configuration ##################################
-
-# Require IEEE 802.1X authorization
-ieee8021x=1
-
-# IEEE 802.1X/EAPOL version
-# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
-# version 2. However, there are many client implementations that do not handle
-# the new version number correctly (they seem to drop the frames completely).
-# In order to make hostapd interoperate with these clients, the version number
-# can be set to the older version (1) with this configuration value.
-#eapol_version=2
-
-# Optional displayable message sent with EAP Request-Identity. The first \0
-# in this string will be converted to ASCII-0 (nul). This can be used to
-# separate network info (comma separated list of attribute=value pairs); see,
-# e.g., RFC 4284.
-#eap_message=hello
-#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
-
-# WEP rekeying (disabled if key lengths are not set or are set to 0)
-# Key lengths for default/broadcast and individual/unicast keys:
-# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
-# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
-#wep_key_len_broadcast=5
-#wep_key_len_unicast=5
-# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
-#wep_rekey_period=300
-
-# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
-# only broadcast keys are used)
-eapol_key_index_workaround=0
-
-# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
-# reauthentication).
-#eap_reauth_period=3600
-
-# Use PAE group address (01:80:c2:00:00:03) instead of individual target
-# address when sending EAPOL frames with driver=wired. This is the most common
-# mechanism used in wired authentication, but it also requires that the port
-# is only used by one station.
-#use_pae_group_addr=1
-
-##### Integrated EAP server ###################################################
-
-# Optionally, hostapd can be configured to use an integrated EAP server
-# to process EAP authentication locally without need for an external RADIUS
-# server. This functionality can be used both as a local authentication server
-# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
-
-# Use integrated EAP server instead of external RADIUS authentication
-# server. This is also needed if hostapd is configured to act as a RADIUS
-# authentication server.
-eap_server=0
-
-# Path for EAP server user database
-#eap_user_file=/etc/hostapd.eap_user
-
-# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#ca_cert=/etc/hostapd.ca.pem
-
-# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
-#server_cert=/etc/hostapd.server.pem
-
-# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
-# This may point to the same file as server_cert if both certificate and key
-# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
-# used by commenting out server_cert and specifying the PFX file as the
-# private_key.
-#private_key=/etc/hostapd.server.prv
-
-# Passphrase for private key
-#private_key_passwd=secret passphrase
-
-# Enable CRL verification.
-# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
-# valid CRL signed by the CA is required to be included in the ca_cert file.
-# This can be done by using PEM format for CA certificate and CRL and
-# concatenating these into one file. Whenever CRL changes, hostapd needs to be
-# restarted to take the new CRL into use.
-# 0 = do not verify CRLs (default)
-# 1 = check the CRL of the user certificate
-# 2 = check all CRLs in the certificate path
-#check_crl=1
-
-# dh_file: File path to DH/DSA parameters file (in PEM format)
-# This is an optional configuration file for setting parameters for an
-# ephemeral DH key exchange. In most cases, the default RSA authentication does
-# not use this configuration. However, it is possible setup RSA to use
-# ephemeral DH key exchange. In addition, ciphers with DSA keys always use
-# ephemeral DH keys. This can be used to achieve forward secrecy. If the file
-# is in DSA parameters format, it will be automatically converted into DH
-# params. This parameter is required if anonymous EAP-FAST is used.
-# You can generate DH parameters file with OpenSSL, e.g.,
-# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
-#dh_file=/etc/hostapd.dh.pem
-
-# Fragment size for EAP methods
-#fragment_size=1400
-
-# Configuration data for EAP-SIM database/authentication gateway interface.
-# This is a text string in implementation specific format. The example
-# implementation in eap_sim_db.c uses this as the UNIX domain socket name for
-# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
-# prefix.
-#eap_sim_db=unix:/tmp/hlr_auc_gw.sock
-
-# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
-# random value. It is configured as a 16-octet value in hex format. It can be
-# generated, e.g., with the following command:
-# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
-#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
-
-# EAP-FAST authority identity (A-ID)
-# A-ID indicates the identity of the authority that issues PACs. The A-ID
-# should be unique across all issuing servers. In theory, this is a variable
-# length field, but due to some existing implementations requiring A-ID to be
-# 16 octets in length, it is strongly recommended to use that length for the
-# field to provid interoperability with deployed peer implementations. This
-# field is configured in hex format.
-#eap_fast_a_id=101112131415161718191a1b1c1d1e1f
-
-# EAP-FAST authority identifier information (A-ID-Info)
-# This is a user-friendly name for the A-ID. For example, the enterprise name
-# and server name in a human-readable format. This field is encoded as UTF-8.
-#eap_fast_a_id_info=test server
-
-# Enable/disable different EAP-FAST provisioning modes:
-#0 = provisioning disabled
-#1 = only anonymous provisioning allowed
-#2 = only authenticated provisioning allowed
-#3 = both provisioning modes allowed (default)
-#eap_fast_prov=3
-
-# EAP-FAST PAC-Key lifetime in seconds (hard limit)
-#pac_key_lifetime=604800
-
-# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
-# limit). The server will generate a new PAC-Key when this number of seconds
-# (or fewer) of the lifetime remains.
-#pac_key_refresh_time=86400
-
-# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
-# (default: 0 = disabled).
-#eap_sim_aka_result_ind=1
-
-# Trusted Network Connect (TNC)
-# If enabled, TNC validation will be required before the peer is allowed to
-# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
-# EAP method is enabled, the peer will be allowed to connect without TNC.
-#tnc=1
-
-
-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
-
-# Interface to be used for IAPP broadcast packets
-#iapp_interface=eth0
-
-
-##### RADIUS client configuration #############################################
-# for IEEE 802.1X with external Authentication Server, IEEE 802.11
-# authentication with external ACL for MAC addresses, and accounting
-
-# The own IP address of the access point (used as NAS-IP-Address)
-own_ip_addr=10.1.0.1
-
-# Optional NAS-Identifier string for RADIUS messages. When used, this should be
-# a unique to the NAS within the scope of the RADIUS server. For example, a
-# fully qualified domain name can be used here.
-# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and
-# 48 octets long.
-#nas_identifier=ap.example.com
-
-# RADIUS authentication server
-auth_server_addr=10.1.0.10
-#auth_server_port=1812
-auth_server_shared_secret=gv6URkSs
-
-# RADIUS accounting server
-#acct_server_addr=127.0.0.1
-#acct_server_port=1813
-#acct_server_shared_secret=secret
-
-# Secondary RADIUS servers; to be used if primary one does not reply to
-# RADIUS packets. These are optional and there can be more than one secondary
-# server listed.
-#auth_server_addr=127.0.0.2
-#auth_server_port=1812
-#auth_server_shared_secret=secret2
-#
-#acct_server_addr=127.0.0.2
-#acct_server_port=1813
-#acct_server_shared_secret=secret2
-
-# Retry interval for trying to return to the primary RADIUS server (in
-# seconds). RADIUS client code will automatically try to use the next server
-# when the current server is not replying to requests. If this interval is set,
-# primary server will be retried after configured amount of time even if the
-# currently used secondary server is still working.
-#radius_retry_primary_interval=600
-
-
-# Interim accounting update interval
-# If this is set (larger than 0) and acct_server is configured, hostapd will
-# send interim accounting updates every N seconds. Note: if set, this overrides
-# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
-# value should not be configured in hostapd.conf, if RADIUS server is used to
-# control the interim interval.
-# This value should not be less 600 (10 minutes) and must not be less than
-# 60 (1 minute).
-#radius_acct_interim_interval=600
-
-# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
-# is used for the stations. This information is parsed from following RADIUS
-# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
-# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
-# VLANID as a string). vlan_file option below must be configured if dynamic
-# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be
-# used to set static client MAC address to VLAN ID mapping.
-# 0 = disabled (default)
-# 1 = option; use default interface if RADIUS server does not include VLAN ID
-# 2 = required; reject authentication if RADIUS server does not include VLAN ID
-#dynamic_vlan=0
-
-# VLAN interface list for dynamic VLAN mode is read from a separate text file.
-# This list is used to map VLAN ID from the RADIUS server to a network
-# interface. Each station is bound to one interface in the same way as with
-# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
-# interface and the line must include VLAN ID and interface name separated by
-# white space (space or tab).
-#vlan_file=/etc/hostapd.vlan
-
-# Interface where 802.1q tagged packets should appear when a RADIUS server is
-# used to determine which VLAN a station is on. hostapd creates a bridge for
-# each VLAN. Then hostapd adds a VLAN interface (associated with the interface
-# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
-# to the bridge.
-#vlan_tagged_interface=eth0
-
-
-##### RADIUS authentication server configuration ##############################
-
-# hostapd can be used as a RADIUS authentication server for other hosts. This
-# requires that the integrated EAP server is also enabled and both
-# authentication services are sharing the same configuration.
-
-# File name of the RADIUS clients configuration for the RADIUS server. If this
-# commented out, RADIUS server is disabled.
-#radius_server_clients=/etc/hostapd.radius_clients
-
-# The UDP port number for the RADIUS authentication server
-#radius_server_auth_port=1812
-
-# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
-#radius_server_ipv6=1
-
-
-##### WPA/IEEE 802.11i configuration ##########################################
-
-# Enable WPA. Setting this variable configures the AP to require WPA (either
-# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
-# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
-# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
-# RADIUS authentication server must be configured, and WPA-EAP must be included
-# in wpa_key_mgmt.
-# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
-# and/or WPA2 (full IEEE 802.11i/RSN):
-# bit0 = WPA
-# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
-#wpa=1
-
-# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
-# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
-# (8..63 characters) that will be converted to PSK. This conversion uses SSID
-# so the PSK changes when ASCII passphrase is used and the SSID is changed.
-# wpa_psk (dot11RSNAConfigPSKValue)
-# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
-#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
-#wpa_passphrase=secret passphrase
-
-# Optionally, WPA PSKs can be read from a separate text file (containing list
-# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
-# Use absolute path name to make sure that the files can be read on SIGHUP
-# configuration reloads.
-#wpa_psk_file=/etc/hostapd.wpa_psk
-
-# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
-# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
-# added to enable SHA256-based stronger algorithms.
-# (dot11RSNAConfigAuthenticationSuitesTable)
-#wpa_key_mgmt=WPA-PSK WPA-EAP
-
-# Set of accepted cipher suites (encryption algorithms) for pairwise keys
-# (unicast packets). This is a space separated list of algorithms:
-# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
-# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
-# Group cipher suite (encryption algorithm for broadcast and multicast frames)
-# is automatically selected based on this configuration. If only CCMP is
-# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
-# TKIP will be used as the group cipher.
-# (dot11RSNAConfigPairwiseCiphersTable)
-# Pairwise cipher for WPA (v1) (default: TKIP)
-#wpa_pairwise=TKIP CCMP
-# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
-#rsn_pairwise=CCMP
-
-# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
-# seconds. (dot11RSNAConfigGroupRekeyTime)
-#wpa_group_rekey=600
-
-# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
-# (dot11RSNAConfigGroupRekeyStrict)
-#wpa_strict_rekey=1
-
-# Time interval for rekeying GMK (master key used internally to generate GTKs
-# (in seconds).
-#wpa_gmk_rekey=86400
-
-# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
-# PTK to mitigate some attacks against TKIP deficiencies.
-#wpa_ptk_rekey=600
-
-# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
-# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
-# authentication and key handshake before actually associating with a new AP.
-# (dot11RSNAPreauthenticationEnabled)
-#rsn_preauth=1
-#
-# Space separated list of interfaces from which pre-authentication frames are
-# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
-# interface that are used for connections to other APs. This could include
-# wired interfaces and WDS links. The normal wireless data interface towards
-# associated stations (e.g., wlan0) should not be added, since
-# pre-authentication is only used with APs other than the currently associated
-# one.
-#rsn_preauth_interfaces=eth0
-
-# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
-# allowed. This is only used with RSN/WPA2.
-# 0 = disabled (default)
-# 1 = enabled
-#peerkey=1
-
-# ieee80211w: Whether management frame protection (MFP) is enabled
-# 0 = disabled (default)
-# 1 = optional
-# 2 = required
-#ieee80211w=0
-
-# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
-# (maximum time to wait for a SA Query response)
-# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
-#assoc_sa_query_max_timeout=1000
-
-# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
-# (time between two subsequent SA Query requests)
-# dot11AssociationSAQueryRetryTimeout, 1...4294967295
-#assoc_sa_query_retry_timeout=201
-
-# disable_pmksa_caching: Disable PMKSA caching
-# This parameter can be used to disable caching of PMKSA created through EAP
-# authentication. RSN preauthentication may still end up using PMKSA caching if
-# it is enabled (rsn_preauth=1).
-# 0 = PMKSA caching enabled (default)
-# 1 = PMKSA caching disabled
-#disable_pmksa_caching=0
-
-# okc: Opportunistic Key Caching (aka Proactive Key Caching)
-# Allow PMK cache to be shared opportunistically among configured interfaces
-# and BSSes (i.e., all configurations within a single hostapd process).
-# 0 = disabled (default)
-# 1 = enabled
-#okc=1
-
-
-##### IEEE 802.11r configuration ##############################################
-
-# Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
-# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the
-# same SSID) between which a STA can use Fast BSS Transition.
-# 2-octet identifier as a hex string.
-#mobility_domain=a1b2
-
-# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
-# 1 to 48 octet identifier.
-# This is configured with nas_identifier (see RADIUS client section above).
-
-# Default lifetime of the PMK-RO in minutes; range 1..65535
-# (dot11FTR0KeyLifetime)
-#r0_key_lifetime=10000
-
-# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
-# 6-octet identifier as a hex string.
-#r1_key_holder=000102030405
-
-# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
-# (dot11FTReassociationDeadline)
-#reassociation_deadline=1000
-
-# List of R0KHs in the same Mobility Domain
-# format: <MAC address> <NAS Identifier> <128-bit key as hex string>
-# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
-# address when requesting PMK-R1 key from the R0KH that the STA used during the
-# Initial Mobility Domain Association.
-#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f
-#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff
-# And so on.. One line per R0KH.
-
-# List of R1KHs in the same Mobility Domain
-# format: <MAC address> <R1KH-ID> <128-bit key as hex string>
-# This list is used to map R1KH-ID to a destination MAC address when sending
-# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
-# that can request PMK-R1 keys.
-#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f
-#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff
-# And so on.. One line per R1KH.
-
-# Whether PMK-R1 push is enabled at R0KH
-# 0 = do not push PMK-R1 to all configured R1KHs (default)
-# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
-#pmk_r1_push=1
-
-##### Neighbor table ##########################################################
-# Maximum number of entries kept in AP table (either for neigbor table or for
-# detecting Overlapping Legacy BSS Condition). The oldest entry will be
-# removed when adding a new entry that would make the list grow over this
-# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is
-# enabled, so this field should not be set to 0 when using IEEE 802.11g.
-# default: 255
-#ap_table_max_size=255
-
-# Number of seconds of no frames received after which entries may be deleted
-# from the AP table. Since passive scanning is not usually performed frequently
-# this should not be set to very small value. In addition, there is no
-# guarantee that every scan cycle will receive beacon frames from the
-# neighboring APs.
-# default: 60
-#ap_table_expiration_time=3600
-
-
-##### Wi-Fi Protected Setup (WPS) #############################################
-
-# WPS state
-# 0 = WPS disabled (default)
-# 1 = WPS enabled, not configured
-# 2 = WPS enabled, configured
-#wps_state=2
-
-# AP can be configured into a locked state where new WPS Registrar are not
-# accepted, but previously authorized Registrars (including the internal one)
-# can continue to add new Enrollees.
-#ap_setup_locked=1
-
-# Universally Unique IDentifier (UUID; see RFC 4122) of the device
-# This value is used as the UUID for the internal WPS Registrar. If the AP
-# is also using UPnP, this value should be set to the device's UPnP UUID.
-# If not configured, UUID will be generated based on the local MAC address.
-#uuid=12345678-9abc-def0-1234-56789abcdef0
-
-# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
-# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
-# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
-# per-device PSKs is recommended as the more secure option (i.e., make sure to
-# set wpa_psk_file when using WPS with WPA-PSK).
-
-# When an Enrollee requests access to the network with PIN method, the Enrollee
-# PIN will need to be entered for the Registrar. PIN request notifications are
-# sent to hostapd ctrl_iface monitor. In addition, they can be written to a
-# text file that could be used, e.g., to populate the AP administration UI with
-# pending PIN requests. If the following variable is set, the PIN requests will
-# be written to the configured file.
-#wps_pin_requests=/var/run/hostapd_wps_pin_requests
-
-# Device Name
-# User-friendly description of device; up to 32 octets encoded in UTF-8
-#device_name=Wireless AP
-
-# Manufacturer
-# The manufacturer of the device (up to 64 ASCII characters)
-#manufacturer=Company
-
-# Model Name
-# Model of the device (up to 32 ASCII characters)
-#model_name=WAP
-
-# Model Number
-# Additional device description (up to 32 ASCII characters)
-#model_number=123
-
-# Serial Number
-# Serial number of the device (up to 32 characters)
-#serial_number=12345
-
-# Primary Device Type
-# Used format: <categ>-<OUI>-<subcateg>
-# categ = Category as an integer value
-# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
-# default WPS OUI
-# subcateg = OUI-specific Sub Category as an integer value
-# Examples:
-# 1-0050F204-1 (Computer / PC)
-# 1-0050F204-2 (Computer / Server)
-# 5-0050F204-1 (Storage / NAS)
-# 6-0050F204-1 (Network Infrastructure / AP)
-#device_type=6-0050F204-1
-
-# OS Version
-# 4-octet operating system version number (hex string)
-#os_version=01020300
-
-# Config Methods
-# List of the supported configuration methods
-# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
-# nfc_interface push_button keypad virtual_display physical_display
-# virtual_push_button physical_push_button
-#config_methods=label virtual_display virtual_push_button keypad
-
-# WPS capability discovery workaround for PBC with Windows 7
-# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting
-# as a Registrar and using M1 from the AP. The config methods attribute in that
-# message is supposed to indicate only the configuration method supported by
-# the AP in Enrollee role, i.e., to add an external Registrar. For that case,
-# PBC shall not be used and as such, the PushButton config method is removed
-# from M1 by default. If pbc_in_m1=1 is included in the configuration file,
-# the PushButton config method is left in M1 (if included in config_methods
-# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label
-# in the AP).
-#pbc_in_m1=1
-
-# Static access point PIN for initial configuration and adding Registrars
-# If not set, hostapd will not allow external WPS Registrars to control the
-# access point. The AP PIN can also be set at runtime with hostapd_cli
-# wps_ap_pin command. Use of temporary (enabled by user action) and random
-# AP PIN is much more secure than configuring a static AP PIN here. As such,
-# use of the ap_pin parameter is not recommended if the AP device has means for
-# displaying a random PIN.
-#ap_pin=12345670
-
-# Skip building of automatic WPS credential
-# This can be used to allow the automatically generated Credential attribute to
-# be replaced with pre-configured Credential(s).
-#skip_cred_build=1
-
-# Additional Credential attribute(s)
-# This option can be used to add pre-configured Credential attributes into M8
-# message when acting as a Registrar. If skip_cred_build=1, this data will also
-# be able to override the Credential attribute that would have otherwise been
-# automatically generated based on network configuration. This configuration
-# option points to an external file that much contain the WPS Credential
-# attribute(s) as binary data.
-#extra_cred=hostapd.cred
-
-# Credential processing
-# 0 = process received credentials internally (default)
-# 1 = do not process received credentials; just pass them over ctrl_iface to
-# external program(s)
-# 2 = process received credentials internally and pass them over ctrl_iface
-# to external program(s)
-# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and
-# extra_cred be used to provide the Credential data for Enrollees.
-#
-# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file
-# both for Credential processing and for marking AP Setup Locked based on
-# validation failures of AP PIN. An external program is responsible on updating
-# the configuration appropriately in this case.
-#wps_cred_processing=0
-
-# AP Settings Attributes for M7
-# By default, hostapd generates the AP Settings Attributes for M7 based on the
-# current configuration. It is possible to override this by providing a file
-# with pre-configured attributes. This is similar to extra_cred file format,
-# but the AP Settings attributes are not encapsulated in a Credential
-# attribute.
-#ap_settings=hostapd.ap_settings
-
-# WPS UPnP interface
-# If set, support for external Registrars is enabled.
-#upnp_iface=br0
-
-# Friendly Name (required for UPnP)
-# Short description for end use. Should be less than 64 characters.
-#friendly_name=WPS Access Point
-
-# Manufacturer URL (optional for UPnP)
-#manufacturer_url=http://www.example.com/
-
-# Model Description (recommended for UPnP)
-# Long description for end user. Should be less than 128 characters.
-#model_description=Wireless Access Point
-
-# Model URL (optional for UPnP)
-#model_url=http://www.example.com/model/
-
-# Universal Product Code (optional for UPnP)
-# 12-digit, all-numeric code that identifies the consumer package.
-#upc=123456789012
-
-##### Wi-Fi Direct (P2P) ######################################################
-
-# Enable P2P Device management
-#manage_p2p=1
-
-# Allow cross connection
-#allow_cross_connection=1
-
-#### TDLS (IEEE 802.11z-2010) #################################################
-
-# Prohibit use of TDLS in this BSS
-#tdls_prohibit=1
-
-# Prohibit use of TDLS Channel Switching in this BSS
-#tdls_prohibit_chan_switch=1
-
-##### IEEE 802.11v-2011 #######################################################
-
-# Time advertisement
-# 0 = disabled (default)
-# 2 = UTC time at which the TSF timer is 0
-#time_advertisement=2
-
-# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
-# stdoffset[dst[offset][,start[/time],end[/time]]]
-#time_zone=EST5
-
-##### IEEE 802.11u-2011 #######################################################
-
-# Enable Interworking service
-#interworking=1
-
-# Access Network Type
-# 0 = Private network
-# 1 = Private network with guest access
-# 2 = Chargeable public network
-# 3 = Free public network
-# 4 = Personal device network
-# 5 = Emergency services only network
-# 14 = Test or experimental
-# 15 = Wildcard
-#access_network_type=0
-
-# Whether the network provides connectivity to the Internet
-# 0 = Unspecified
-# 1 = Network provides connectivity to the Internet
-#internet=1
-
-# Additional Step Required for Access
-# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if
-# RSN is used.
-#asra=0
-
-# Emergency services reachable
-#esr=0
-
-# Unauthenticated emergency service accessible
-#uesa=0
-
-# Venue Info (optional)
-# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
-# Example values (group,type):
-# 0,0 = Unspecified
-# 1,7 = Convention Center
-# 1,13 = Coffee Shop
-# 2,0 = Unspecified Business
-# 7,1 Private Residence
-#venue_group=7
-#venue_type=1
-
-# Homogeneous ESS identifier (optional; dot11HESSID)
-# If set, this shall be identifical to one of the BSSIDs in the homogeneous
-# ESS and this shall be set to the same value across all BSSs in homogeneous
-# ESS.
-#hessid=02:03:04:05:06:07
-
-# Roaming Consortium List
-# Arbitrary number of Roaming Consortium OIs can be configured with each line
-# adding a new OI to the list. The first three entries are available through
-# Beacon and Probe Response frames. Any additional entry will be available only
-# through ANQP queries. Each OI is between 3 and 15 octets and is configured a
-# a hexstring.
-#roaming_consortium=021122
-#roaming_consortium=2233445566
-
-##### Multiple BSSID support ##################################################
-#
-# Above configuration is using the default interface (wlan#, or multi-SSID VLAN
-# interfaces). Other BSSIDs can be added by using separator 'bss' with
-# default interface name to be allocated for the data packets of the new BSS.
-#
-# hostapd will generate BSSID mask based on the BSSIDs that are
-# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
-# not the case, the MAC address of the radio must be changed before starting
-# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for
-# every secondary BSS, this limitation is not applied at hostapd and other
-# masks may be used if the driver supports them (e.g., swap the locally
-# administered bit)
-#
-# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
-# specified using the 'bssid' parameter.
-# If an explicit BSSID is specified, it must be chosen such that it:
-# - results in a valid MASK that covers it and the dev_addr
-# - is not the same as the MAC address of the radio
-# - is not the same as any other explicitly specified BSSID
-#
-# Please note that hostapd uses some of the values configured for the first BSS
-# as the defaults for the following BSSes. However, it is recommended that all
-# BSSes include explicit configuration of all relevant configuration items.
-#
-#bss=wlan0_0
-#ssid=test2
-# most of the above items can be used here (apart from radio interface specific
-# items, like channel)
-
-#bss=wlan0_1
-#bssid=00:13:10:95:fe:0b
-# ...
diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
deleted file mode 100644
index b55e0457c..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::killall wpa_supplicant
-dave::killall wpa_supplicant
-moon::killall hostapd
-alice::killall radiusd
-alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
deleted file mode 100644
index 4dbff64a3..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-moon::hostapd -B /etc/hostapd/hostapd.conf
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-carol::sleep 4
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-dave::sleep 4
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
new file mode 100644
index 000000000..548c101e4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql
@@ -0,0 +1,39 @@
+/* SW Identifiers */
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libutempter0-1.1.5', 'libutempter0', '1.1.5', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libevent-2.0-5-2.0.20', 'libevent-2.0-5', '2.0.20', 1, 0
+);
+
+INSERT INTO sw_identifiers (
+ name, package, version, source, installed
+) VALUES (
+ 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-tmux-2.2', 'tmux', '2.2', 1, 0
+);
+
+/* SW Events */
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 1, 2
+);
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 2, 2
+);
+
+INSERT INTO sw_events (
+ eid, sw_id, action
+) VALUES (
+ 2, 3, 2
+);
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
index c0049d7fd..5d0602c15 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
@@ -1,6 +1,7 @@
carol::ip route del 10.1.0.0/16 via 192.168.0.1
dave::ip route del 10.1.0.0/16 via 192.168.0.1
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+carol::rm /etc/pts/collector.sql
alice::systemctl stop strongswan-swanctl
alice::systemctl stop apache2
alice::rm /etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt
deleted file mode 100644
index 8bf1543d2..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the
-<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
-<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-</p>
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
deleted file mode 100644
index bf0732604..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index aa4934fb1..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
deleted file mode 100644
index 3ef780933..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 8fc1c8729..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
deleted file mode 100644
index b1c694107..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
deleted file mode 100644
index 8eee8068a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
deleted file mode 100755
index bf3a6891a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
+++ /dev/null
@@ -1,158 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: charon
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
-# running in the background
-### END INIT INFO
-
-# Author: Andreas Steffen <andreas.steffen@strongswa.org>
-#
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
-DAEMON=/usr/local/libexec/ipsec/$NAME
-DAEMON_ARGS=""
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
-
-export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
- # Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
- # Add code here, if necessary, that waits for the process to be ready
- # to handle requests from services started subsequently which depend
- # on this one. As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
- # Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- # Wait for children to finish too if this is a daemon that forks
- # and if the daemon is only ever run from this initscript.
- # If the above conditions are not satisfied then add some other code
- # that waits for the process to drop all resources that could be
- # needed by services started subsequently. A last resort is to
- # sleep for some time.
- start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
- [ "$?" = 2 ] && return 2
- # Many daemons don't delete their pidfiles when they exit.
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
- #
- # If the daemon can reload its configuration without
- # restarting (for example, when it is sent a SIGHUP),
- # then implement that here.
- #
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- #reload|force-reload)
- #
- # If do_reload() is not implemented then leave this commented out
- # and leave 'force-reload' as an alias for 'restart'.
- #
- #log_daemon_msg "Reloading $DESC" "$NAME"
- #do_reload
- #log_end_msg $?
- #;;
- restart|force-reload)
- #
- # If the "reload" option is implemented then remove the
- # 'force-reload' alias
- #
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;; # Old process is still running
- *) log_end_msg 1 ;; # Failed to start
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4732fbd4b..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imv = 2
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- phase2_tnc = yes
- }
- }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100644
index 1238c1a91..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,64 +0,0 @@
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap-carol {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
- eap-dave {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
deleted file mode 100644
index d8215dd3c..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
+++ /dev/null
@@ -1,40 +0,0 @@
-#FTP - File Transfer Protocol
-TCP 20 = whatever
-TCP 21 = close
-
-#SSH - Secure Shell
-TCP 22 = whatever
-
-#Telnet
-TCP 23 = close
-
-#E-Mail
-#
-#SMTP - Simple Mail Transfer Protocol
-TCP 25 = close
-TCP 587 = close
-#POP3 - Post Office Protocol version 3
-TCP 110 = close
-TCP 995 = close
-
-#DNS - Domain Name System
-UDP 53 = close
-TCP 53 = close
-
-#BOOTP/DHCP - Bootstrap Protocol /
-#Dynamic Host Configuration Protocol
-UDP 67 = close
-#UDP 68 = open
-UDP 68 = whatever
-
-#www - World Wide Web
-#HTTP - Hypertext Transfer Protocol
-TCP 80 = close
-#HTTPS - Hypertext Transfer Protocol Secure
-TCP 443 = close
-
-#examples
-TCP 8080 = close
-TCP 5223 = whatever
-UDP 4444 = close
-UDP 631 = whatever
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
deleted file mode 100644
index 122d798b3..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-# Set root logger level to DEBUG and its appenders to A1 and A2.
-log4j.rootLogger=DEBUG, A1, A2
-
-# A1 is set to be a ConsoleAppender.
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
-
-# A2 is set to be a SyslogAppender
-log4j.appender.A2=org.apache.log4j.net.SyslogAppender
-log4j.appender.A2.Facility=DAEMON
-log4j.appender.A2.SyslogHost=localhost
-log4j.appender.A2.Threshold=DEBUG
-log4j.appender.A2.layout=org.apache.log4j.PatternLayout
-log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
deleted file mode 100644
index fa4324e38..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Files>
</Directory>
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf \ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
index 4075f75bd..cd5056e83 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc
<Directory /var/www/tnc/config>
<Files wsgi.py>
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule !mod_authz_core.c>
- Order deny,allow
- Allow from all
- </IfModule>
+ Require all granted
</Files>
</Directory>
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 1dc8b5688..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1 +0,0 @@
-Include sites-available/000-default.conf \ No newline at end of file