diff options
1448 files changed, 25529 insertions, 8675 deletions
diff --git a/Android.common.mk b/Android.common.mk index 1243e26f7..19d654e0c 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.6.0" +strongswan_VERSION := "5.6.1" diff --git a/Makefile.am b/Makefile.am index 47e9e8ce6..54b822050 100644 --- a/Makefile.am +++ b/Makefile.am @@ -59,7 +59,7 @@ cov-report: lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ --rc lcov_branch_coverage=1 lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \ - -o $(top_builddir)/coverage/coverage.cleaned.info \ + -o $(abs_top_builddir)/coverage/coverage.cleaned.info \ --rc lcov_branch_coverage=1 genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \ -t "$(PACKAGE_STRING)" \ diff --git a/Makefile.in b/Makefile.in index b08cb7bef..a3abb3483 100644 --- a/Makefile.in +++ b/Makefile.in @@ -276,9 +276,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -1039,7 +1041,7 @@ cov-reset-common: @COVERAGE_TRUE@ lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ @COVERAGE_TRUE@ --rc lcov_branch_coverage=1 @COVERAGE_TRUE@ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \ -@COVERAGE_TRUE@ -o $(top_builddir)/coverage/coverage.cleaned.info \ +@COVERAGE_TRUE@ -o $(abs_top_builddir)/coverage/coverage.cleaned.info \ @COVERAGE_TRUE@ --rc lcov_branch_coverage=1 @COVERAGE_TRUE@ genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \ @COVERAGE_TRUE@ -t "$(PACKAGE_STRING)" \ @@ -1,3 +1,46 @@ +strongswan-5.6.1 +---------------- + +- In compliance with RFCs 8221 and 8247 several algorithms were removed from the + default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from + ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in + custom proposals. + +- Added support for RSASSA-PSS signatures. For backwards compatibility they are + not used automatically by default, enable charon.rsa_pss to change that. To + explicitly use or require such signatures with IKEv2 signature authentication + (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss... + authentication constraints. + +- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the + `--rsa-padding pss` option. + +- The sec-updater tool checks for security updates in dpkg-based repositories + (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database + accordingly. Additionally for each new package version a SWID tag for the + given OS and HW architecture is created and stored in the database. + Using the sec-updater.sh script template the lookup can be automated + (e.g. via an hourly cron job). + +- The introduction of file versions in the IMV database scheme broke file + reference hash measurements. This has been fixed by creating generic product + versions having an empty package name. + +- A new timeout option for the systime-fix plugin stops periodic system time + checks after a while and enforces a certificate verification, closing or + reauthenticating all SAs with invalid certificates. + +- The IKE event counters, previously only available via ipsec listcounters, may + now be queried/reset via vici and the new swanctl --counters command. They are + provided by the new optional counters plugin. + +- Class attributes received in RADIUS Access-Accept messages may optionally be + added to RADIUS accounting messages. + +- Inbound marks may optionally be installed on the SA again (was removed with + 5.5.2) by enabling the mark_in_sa option in swanctl.conf. + + strongswan-5.6.0 ---------------- diff --git a/conf/Makefile.am b/conf/Makefile.am index 87319db22..38181db2c 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -18,13 +18,13 @@ options = \ options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ - options/pacman.opt \ options/pki.opt \ options/pool.opt \ options/scepclient.opt \ options/starter.opt \ options/swanctl.opt \ options/tnc.opt \ + options/sec-updater.opt \ options/sw-collector.opt plugins = \ diff --git a/conf/Makefile.in b/conf/Makefile.in index b403c727d..c2cb213f7 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -199,9 +199,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -422,13 +424,13 @@ options = \ options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ - options/pacman.opt \ options/pki.opt \ options/pool.opt \ options/scepclient.opt \ options/starter.opt \ options/swanctl.opt \ options/tnc.opt \ + options/sec-updater.opt \ options/sw-collector.opt plugins = \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index f0d084bed..cef9fe36c 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -230,6 +230,9 @@ charon { # Priority of the routing table. # routing_table_prio = + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + # Delay in ms for sending packets, to simulate larger RTT. # send_delay = 0 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 900b9b46b..161ebb724 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -341,6 +341,9 @@ charon.routing_table charon.routing_table_prio Priority of the routing table. +charon.rsa_pss = no + Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + charon.send_delay = 0 Delay in ms for sending packets, to simulate larger RTT. diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf deleted file mode 100644 index 730e5435c..000000000 --- a/conf/options/pacman.conf +++ /dev/null @@ -1,12 +0,0 @@ -pacman { - - # Database URI for the database that stores the package information. If it - # contains a password, make sure to adjust the permissions of the config - # file accordingly. - # database = - - # Plugins to load in package manager. - # load = - -} - diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt deleted file mode 100644 index dfb4ba2b1..000000000 --- a/conf/options/pacman.opt +++ /dev/null @@ -1,7 +0,0 @@ -pacman.database = - Database URI for the database that stores the package information. If it - contains a password, make sure to adjust the permissions of the config file - accordingly. - -pacman.load = - Plugins to load in package manager. diff --git a/conf/options/sec-updater.conf b/conf/options/sec-updater.conf new file mode 100644 index 000000000..081476a50 --- /dev/null +++ b/conf/options/sec-updater.conf @@ -0,0 +1,42 @@ +# Options for the sec-updater tool. +sec-updater { + + # Global IMV policy database URI. If it contains a password, make sure to + # adjust the permissions of the config file accordingly. + # database = + + # Plugins to load in sec-updater tool. + # load = + + # strongTNC manage.py command used to import SWID tags. + # tnc_manage_command = /var/www/tnc/manage.py + + swid_gen { + + # SWID generator command to be executed. + # command = /usr/local/bin/swid_generator + + tag_creator { + + # Name of the tagCreator entity. + # name = strongSwan Project + + # regid of the tagCreator entity. + # regid = strongswan.org + + } + + } + + tmp { + + # Temporary storage for downloaded deb package file. + # deb_file = /tmp/sec-updater.deb + + # Temporary storage for generated SWID tags. + # tag_file = /tmp/sec-updater.tag + + } + +} + diff --git a/conf/options/sec-updater.opt b/conf/options/sec-updater.opt new file mode 100644 index 000000000..f6669250e --- /dev/null +++ b/conf/options/sec-updater.opt @@ -0,0 +1,29 @@ +sec-updater {} + Options for the sec-updater tool. + + Options for the sec-updater tool. + +sec-updater.database = + Global IMV policy database URI. If it contains a password, make sure to + adjust the permissions of the config file accordingly. + +sec-updater.swid_gen.command = /usr/local/bin/swid_generator + SWID generator command to be executed. + +sec-updater.swid_gen.tag_creator.name = strongSwan Project + Name of the tagCreator entity. + +sec-updater.swid_gen.tag_creator.regid = strongswan.org + regid of the tagCreator entity. + +sec-updater.tnc_manage_command = /var/www/tnc/manage.py + strongTNC manage.py command used to import SWID tags. + +sec-updater.tmp.deb_file = /tmp/sec-updater.deb + Temporary storage for downloaded deb package file. + +sec-updater.tmp.tag_file = /tmp/sec-updater.tag + Temporary storage for generated SWID tags. + +sec-updater.load = + Plugins to load in sec-updater tool. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 8858f3fc5..5a486114e 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -15,6 +15,10 @@ eap-radius { # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. # accounting_requires_vip = no + # If enabled, adds the Class attributes received in Access-Accept message to + # the RADIUS accounting messages. + # accounting_send_class = no + # Use class attributes in Access-Accept messages as group membership # information. # class_group = no diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index c3668ec06..f18a74c49 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -13,6 +13,10 @@ charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. +charon.plugins.eap-radius.accounting_send_class = no + If enabled, adds the Class attributes received in Access-Accept message to + the RADIUS accounting messages. + charon.plugins.eap-radius.class_group = no Use class attributes in Access-Accept messages as group membership information. diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf index f5cd4cd5d..1d9a6983a 100644 --- a/conf/plugins/systime-fix.conf +++ b/conf/plugins/systime-fix.conf @@ -18,5 +18,9 @@ systime-fix { # strptime(3) format used to parse threshold option. # threshold_format = %Y + # How long to wait for a valid system time if an interval is configured. 0 + # to recheck indefinitely. + # timeout = 0s + } diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt index 7abd03627..714981a52 100644 --- a/conf/plugins/systime-fix.opt +++ b/conf/plugins/systime-fix.opt @@ -10,3 +10,7 @@ charon.plugins.systime-fix.threshold = charon.plugins.systime-fix.threshold_format = %Y **strptime**(3) format used to parse threshold option. + +charon.plugins.systime-fix.timeout = 0s + How long to wait for a valid system time if an interval is configured. 0 to + recheck indefinitely. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 4f38c9b03..b54f3e492 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -632,6 +632,11 @@ If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. .TP +.BR charon.plugins.eap-radius.accounting_send_class " [no]" +If enabled, adds the Class attributes received in Access\-Accept message to the +RADIUS accounting messages. + +.TP .BR charon.plugins.eap-radius.class_group " [no]" Use the .RI "" "class" "" @@ -1495,6 +1500,11 @@ Threshold date where system time is considered valid. Disabled if not specified. format used to parse threshold option. .TP +.BR charon.plugins.systime-fix.timeout " [0s]" +How long to wait for a valid system time if an interval is configured. 0 to +recheck indefinitely. + +.TP .BR charon.plugins.tnc-ifmap.client_cert " []" Path to X.509 certificate file of IF\-MAP client. @@ -1763,6 +1773,10 @@ Numerical routing table to install routes to. Priority of the routing table. .TP +.BR charon.rsa_pss " [no]" +Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + +.TP .BR charon.send_delay " [0]" Delay in ms for sending packets, to simulate larger RTT. @@ -2307,16 +2321,6 @@ Number of thread for mediation service web application. Session timeout for mediation service. .TP -.BR pacman.database " []" -Database URI for the database that stores the package information. If it -contains a password, make sure to adjust the permissions of the config file -accordingly. - -.TP -.BR pacman.load " []" -Plugins to load in package manager. - -.TP .BR pki.load " []" Plugins to load in ipsec pki tool. @@ -2335,6 +2339,44 @@ Plugins to load in ipsec pool tool. Plugins to load in ipsec scepclient tool. .TP +.B sec-updater +.br +Options for the sec\-updater tool. + +.TP +.BR sec-updater.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR sec-updater.load " []" +Plugins to load in sec\-updater tool. + +.TP +.BR sec-updater.swid_gen.command " [/usr/local/bin/swid_generator]" +SWID generator command to be executed. + +.TP +.BR sec-updater.swid_gen.tag_creator.name " [strongSwan Project]" +Name of the tagCreator entity. + +.TP +.BR sec-updater.swid_gen.tag_creator.regid " [strongswan.org]" +regid of the tagCreator entity. + +.TP +.BR sec-updater.tmp.deb_file " [/tmp/sec-updater.deb]" +Temporary storage for downloaded deb package file. + +.TP +.BR sec-updater.tmp.tag_file " [/tmp/sec-updater.tag]" +Temporary storage for generated SWID tags. + +.TP +.BR sec-updater.tnc_manage_command " [/var/www/tnc/manage.py]" +strongTNC manage.py command used to import SWID tags. + +.TP .BR starter.config_file " [${sysconfdir}/ipsec.conf]" Location of the ipsec.conf file diff --git a/config.h.in b/config.h.in index 06d399922..ba1deb1ce 100644 --- a/config.h.in +++ b/config.h.in @@ -136,7 +136,7 @@ /* Define to 1 if you have the `mmap' function. */ #undef HAVE_MMAP -/* have mpz_mown_sec() */ +/* have mpz_powm_sec() */ #undef HAVE_MPZ_POWM_SEC /* Define to 1 if you have the <netinet6/ipsec.h> header file. */ @@ -199,6 +199,9 @@ /* have PF_ROUTE RTM_IFANNOUNCE defined */ #undef HAVE_RTM_IFANNOUNCE +/* Define to 1 if you have the `sd_listen_fds_with_names' function. */ +#undef HAVE_SD_LISTEN_FDS_WITH_NAMES + /* Define to 1 if you have the `sem_timedwait' function. */ #undef HAVE_SEM_TIMEDWAIT @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.6.0. +# Generated by GNU Autoconf 2.69 for strongSwan 5.6.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.6.0' -PACKAGE_STRING='strongSwan 5.6.0' +PACKAGE_VERSION='5.6.1' +PACKAGE_STRING='strongSwan 5.6.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -741,6 +741,8 @@ USE_LOCK_PROFILER_FALSE USE_LOCK_PROFILER_TRUE USE_LEAK_DETECTIVE_FALSE USE_LEAK_DETECTIVE_TRUE +USE_COUNTERS_FALSE +USE_COUNTERS_TRUE USE_ATTR_SQL_FALSE USE_ATTR_SQL_TRUE USE_ATTR_FALSE @@ -1064,6 +1066,7 @@ RUBY_GEMS_INSTALL_FALSE RUBY_GEMS_INSTALL_TRUE RUBYGEMDIR GEM +FUZZING_LDFLAGS COVERAGE_LDFLAGS COVERAGE_CFLAGS GENHTML @@ -1080,6 +1083,7 @@ nm_LIBS nm_CFLAGS pcsclite_LIBS pcsclite_CFLAGS +OPENSSL_LIB MYSQLCFLAG MYSQLCONFIG MYSQLLIB @@ -1111,7 +1115,6 @@ USE_X86X64_FALSE USE_X86X64_TRUE USE_WINDOWS_FALSE USE_WINDOWS_TRUE -OPENSSL_LIB RTLIB USE_SYSLOG_FALSE USE_SYSLOG_TRUE @@ -1121,6 +1124,7 @@ SOCKLIB BTLIB DLLIB ALLOCA +GPERF_LEN_TYPE GPERF PERL pkgpyexecdir @@ -1447,6 +1451,7 @@ enable_android_log enable_bypass_lan enable_certexpire enable_connmark +enable_counters enable_forecast enable_duplicheck enable_error_notify @@ -2103,7 +2108,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.6.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.6.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2174,7 +2179,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.6.0:";; + short | recursive ) echo "Configuration of strongSwan 5.6.1:";; esac cat <<\_ACEOF @@ -2350,6 +2355,8 @@ Optional Features: certificates. --enable-connmark enable connmark plugin using conntrack based marks to select return path SA. + --enable-counters enable plugin that collects several performance + counters. --enable-forecast enable forecast plugin forwarding broadcast/multicast messages. --enable-duplicheck advanced duplicate checking plugin using liveness @@ -2652,7 +2659,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.6.0 +strongSwan configure 5.6.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3174,7 +3181,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.6.0, which was +It was created by strongSwan $as_me 5.6.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4037,7 +4044,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.6.0' + VERSION='5.6.1' cat >>confdefs.h <<_ACEOF @@ -7044,6 +7051,22 @@ fi disabled_by_default=${disabled_by_default}" connmark" +# Check whether --enable-counters was given. +if test "${enable_counters+set}" = set; then : + enableval=$enable_counters; counters_given=true + if test x$enableval = xyes; then + counters=true + else + counters=false + fi +else + counters=false + counters_given=false + +fi + + disabled_by_default=${disabled_by_default}" counters" + # Check whether --enable-forecast was given. if test "${enable_forecast+set}" = set; then : enableval=$enable_forecast; forecast_given=true @@ -18070,6 +18093,45 @@ fi $as_echo_n "checking gperf version >= 3.0.0... " >&6; } if test -x "$GPERF"; then if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + GPERF_OUTPUT="`echo foo | ${GPERF}`" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <string.h> + const char *in_word_set(const char*, size_t); $GPERF_OUTPUT +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + GPERF_LEN_TYPE=size_t +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <string.h> + const char *in_word_set(const char*, unsigned); $GPERF_OUTPUT +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + GPERF_LEN_TYPE=unsigned +else + as_fn_error $? "unable to determine gperf len type" "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else @@ -18166,10 +18228,14 @@ if test x$aikgen = xtrue; then tss_trousers=true fi -if test x$ntru = xtrue -o x$bliss = xtrue; then +if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then mgf1=true fi +if test x$stroke = xtrue; then + counters=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -19605,7 +19671,7 @@ if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } windows=true - openssl_lib=eay32 + PTHREADLIB="" # explicitly disable ms-bitfields, as it breaks __attribute__((packed)) @@ -19618,7 +19684,6 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - openssl_lib=crypto # check for clock_gettime() on non-Windows only. Otherwise this # check might find clock_gettime() in libwinpthread, but we don't want @@ -19699,8 +19764,6 @@ done fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -OPENSSL_LIB=-l$openssl_lib - if test "x$windows" = xtrue; then USE_WINDOWS_TRUE= USE_WINDOWS_FALSE='#' @@ -19923,7 +19986,7 @@ $as_echo_n "checking mpz_powm_sec... " >&6; } int main () { -void *x = mpz_powm_sec; +void *x __attribute__((unused)); x = mpz_powm_sec; ; return 0; } @@ -20869,6 +20932,20 @@ $as_echo "yes" >&6; } fi + saved_LIBS=$LIBS + LIBS="$systemd_LIBS $systemd_daemon_LIBS" + for ac_func in sd_listen_fds_with_names +do : + ac_fn_c_check_func "$LINENO" "sd_listen_fds_with_names" "ac_cv_func_sd_listen_fds_with_names" +if test "x$ac_cv_func_sd_listen_fds_with_names" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SD_LISTEN_FDS_WITH_NAMES 1 +_ACEOF + +fi +done + + LIBS=$saved_LIBS fi if test x$tss_trousers = xtrue; then @@ -21945,7 +22022,57 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test x$openssl = xtrue; then - as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` + if test "x$windows" = xtrue; then + openssl_lib=eay32 + as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5 +$as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; } +if eval \${$as_ac_Lib+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-l$openssl_lib $DLLIB $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char EVP_CIPHER_CTX_new (); +int +main () +{ +return EVP_CIPHER_CTX_new (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_ac_Lib=yes" +else + eval "$as_ac_Lib=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +eval ac_res=\$$as_ac_Lib + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : + LIBS="$LIBS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; };openssl_lib="" +fi + + fi + if test -z "$openssl_lib"; then + openssl_lib=crypto + as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5 $as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; } if eval \${$as_ac_Lib+:} false; then : @@ -21989,6 +22116,9 @@ else as_fn_error $? "OpenSSL lib$openssl_lib not found" "$LINENO" 5 fi + fi + OPENSSL_LIB=-l$openssl_lib + ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_evp_h" = xyes; then : @@ -23043,6 +23173,19 @@ $as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;} CFLAGS="${CFLAGS} -g -O0" fi +if test x$fuzzing = xtrue; then + if test x$libfuzzer = x; then + { $as_echo "$as_me:${as_lineno-$LINENO}: fuzz targets enabled without libFuzzer, using local driver" >&5 +$as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&6;} + CFLAGS="${CFLAGS} -fsanitize=address" + libfuzzer="libFuzzerLocal.a" + else + # required for libFuzzer + FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + + fi +fi + if test x$ruby_gems = xtrue; then # Extract the first word of "gem", so it can be a program name with args. set dummy gem; ac_word=$2 @@ -24364,6 +24507,12 @@ if test x$unity = xtrue; then fi +if test x$counters = xtrue; then + c_plugins=${c_plugins}" counters" + charon_plugins=${charon_plugins}" counters" + + fi + @@ -25569,6 +25718,14 @@ else USE_ATTR_SQL_FALSE= fi + if test x$counters = xtrue; then + USE_COUNTERS_TRUE= + USE_COUNTERS_FALSE='#' +else + USE_COUNTERS_TRUE='#' + USE_COUNTERS_FALSE= +fi + # other options # --------------- @@ -25780,7 +25937,7 @@ else USE_LIBPTTLS_FALSE= fi - if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue; then + if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue; then USE_LIBTPMTSS_TRUE= USE_LIBTPMTSS_FALSE='#' else @@ -26079,8 +26236,8 @@ fi if test -z "$USE_IMCV_TRUE"; then : strongswan_options=${strongswan_options}" imcv" fi -if test -z "$USE_IMV_OS_TRUE"; then : - strongswan_options=${strongswan_options}" pacman" +if test -z "$USE_IMV_SWIMA_TRUE"; then : + strongswan_options=${strongswan_options}" sec-updater" fi if test -z "$USE_LIBTNCCS_TRUE"; then : strongswan_options=${strongswan_options}" tnc" @@ -26110,14 +26267,14 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= # build man pages # ================= -ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---acert.1 src/pki/man/pki---dn.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8" +ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---acert.1 src/pki/man/pki---dn.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8 src/sec-updater/sec-updater.8" cat >confcache <<\_ACEOF @@ -26870,6 +27027,10 @@ if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_COUNTERS_TRUE}" && test -z "${USE_COUNTERS_FALSE}"; then + as_fn_error $? "conditional \"USE_COUNTERS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -27483,7 +27644,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.6.0, which was +This file was extended by strongSwan $as_me 5.6.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27549,7 +27710,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.6.0 +strongSwan config.status 5.6.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -28102,6 +28263,7 @@ do "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;; "src/libcharon/plugins/bypass_lan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/bypass_lan/Makefile" ;; "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;; + "src/libcharon/plugins/counters/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/counters/Makefile" ;; "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;; "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;; "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;; @@ -28168,6 +28330,7 @@ do "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;; "src/pt-tls-client/Makefile") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/Makefile" ;; "src/sw-collector/Makefile") CONFIG_FILES="$CONFIG_FILES src/sw-collector/Makefile" ;; + "src/sec-updater/Makefile") CONFIG_FILES="$CONFIG_FILES src/sec-updater/Makefile" ;; "src/swanctl/Makefile") CONFIG_FILES="$CONFIG_FILES src/swanctl/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; @@ -28195,6 +28358,7 @@ do "src/swanctl/swanctl.conf.5.tail") CONFIG_FILES="$CONFIG_FILES src/swanctl/swanctl.conf.5.tail" ;; "src/pt-tls-client/pt-tls-client.1") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/pt-tls-client.1" ;; "src/sw-collector/sw-collector.8") CONFIG_FILES="$CONFIG_FILES src/sw-collector/sw-collector.8" ;; + "src/sec-updater/sec-updater.8") CONFIG_FILES="$CONFIG_FILES src/sec-updater/sec-updater.8" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index 45277d967..6effecce3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ # # Copyright (C) 2007-2017 Tobias Brunner -# Copyright (C) 2006-2016 Andreas Steffen +# Copyright (C) 2006-2017 Andreas Steffen # Copyright (C) 2006-2014 Martin Willi # HSR Hochschule fuer Technik Rapperswil # @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.6.0]) +AC_INIT([strongSwan],[5.6.1]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -263,6 +263,7 @@ ARG_ENABL_SET([android-log], [enable Android specific logger plugin.]) ARG_ENABL_SET([bypass-lan], [enable plugin to install bypass policies for local subnets.]) ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.]) ARG_ENABL_SET([connmark], [enable connmark plugin using conntrack based marks to select return path SA.]) +ARG_ENABL_SET([counters], [enable plugin that collects several performance counters.]) ARG_ENABL_SET([forecast], [enable forecast plugin forwarding broadcast/multicast messages.]) ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.]) ARG_ENABL_SET([error-notify], [enable error notification plugin.]) @@ -378,6 +379,21 @@ AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) AC_MSG_CHECKING([gperf version >= 3.0.0]) if test -x "$GPERF"; then if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + GPERF_OUTPUT="`echo foo | ${GPERF}`" + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include <string.h> + const char *in_word_set(const char*, size_t); $GPERF_OUTPUT]])], + [GPERF_LEN_TYPE=size_t], + [AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include <string.h> + const char *in_word_set(const char*, unsigned); $GPERF_OUTPUT]])], + [GPERF_LEN_TYPE=unsigned], + [AC_MSG_ERROR([unable to determine gperf len type])] + )] + ) + AC_SUBST(GPERF_LEN_TYPE) AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) @@ -471,10 +487,14 @@ if test x$aikgen = xtrue; then tss_trousers=true fi -if test x$ntru = xtrue -o x$bliss = xtrue; then +if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then mgf1=true fi +if test x$stroke = xtrue; then + counters=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -827,7 +847,7 @@ AC_COMPILE_IFELSE( [ AC_MSG_RESULT([yes]) windows=true - openssl_lib=eay32 + AC_SUBST(PTHREADLIB, "") # explicitly disable ms-bitfields, as it breaks __attribute__((packed)) case "$CFLAGS" in @@ -837,7 +857,6 @@ AC_COMPILE_IFELSE( ], [ AC_MSG_RESULT([no]) - openssl_lib=crypto # check for clock_gettime() on non-Windows only. Otherwise this # check might find clock_gettime() in libwinpthread, but we don't want @@ -851,7 +870,6 @@ AC_COMPILE_IFELSE( LIBS=$saved_LIBS ] ) -AC_SUBST(OPENSSL_LIB, [-l$openssl_lib]) AM_CONDITIONAL(USE_WINDOWS, [test "x$windows" = xtrue]) AC_MSG_CHECKING([for working __attribute__((packed))]) @@ -919,9 +937,9 @@ if test x$gmp = xtrue; then AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include "gmp.h"]], - [[void *x = mpz_powm_sec;]])], + [[void *x __attribute__((unused)); x = mpz_powm_sec;]])], [AC_MSG_RESULT([yes]); - AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])], + AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_powm_sec()])], [AC_MSG_RESULT([no])] ) else @@ -989,6 +1007,10 @@ if test x$systemd = xtrue; then AC_SUBST(systemd_journal_CFLAGS) AC_SUBST(systemd_journal_LIBS)] ) + saved_LIBS=$LIBS + LIBS="$systemd_LIBS $systemd_daemon_LIBS" + AC_CHECK_FUNCS(sd_listen_fds_with_names) + LIBS=$saved_LIBS fi if test x$tss_trousers = xtrue; then @@ -1103,8 +1125,17 @@ if test x$sqlite = xtrue; then fi if test x$openssl = xtrue; then - AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], - [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB]) + if test "x$windows" = xtrue; then + openssl_lib=eay32 + AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], + [AC_MSG_RESULT([no]);openssl_lib=""],[$DLLIB]) + fi + if test -z "$openssl_lib"; then + openssl_lib=crypto + AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], + [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB]) + fi + AC_SUBST(OPENSSL_LIB, [-l$openssl_lib]) AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])]) fi @@ -1253,6 +1284,18 @@ if test x$coverage = xtrue; then CFLAGS="${CFLAGS} -g -O0" fi +if test x$fuzzing = xtrue; then + if test x$libfuzzer = x; then + AC_MSG_NOTICE([fuzz targets enabled without libFuzzer, using local driver]) + CFLAGS="${CFLAGS} -fsanitize=address" + libfuzzer="libFuzzerLocal.a" + else + # required for libFuzzer + FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + AC_SUBST(FUZZING_LDFLAGS) + fi +fi + if test x$ruby_gems = xtrue; then AC_PATH_PROG([GEM], [gem], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) if test x$GEM = x; then @@ -1459,6 +1502,7 @@ ADD_PLUGIN([radattr], [c charon]) ADD_PLUGIN([uci], [c charon]) ADD_PLUGIN([addrblock], [c charon]) ADD_PLUGIN([unity], [c charon]) +ADD_PLUGIN([counters], [c charon]) AC_SUBST(charon_plugins) AC_SUBST(starter_plugins) @@ -1635,6 +1679,7 @@ AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue) AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue) +AM_CONDITIONAL(USE_COUNTERS, test x$counters = xtrue) # other options # --------------- @@ -1664,7 +1709,7 @@ AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue) AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue) AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue) AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue) -AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue) +AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue) AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) @@ -1737,7 +1782,7 @@ AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charo AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"]) AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"]) AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"]) -AM_COND_IF([USE_IMV_OS], [strongswan_options=${strongswan_options}" pacman"]) +AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updater"]) AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"]) AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"]) AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"]) @@ -1891,6 +1936,7 @@ AC_CONFIG_FILES([ src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile + src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile @@ -1957,6 +2003,7 @@ AC_CONFIG_FILES([ src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile + src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile @@ -1991,6 +2038,7 @@ AC_CONFIG_FILES([ src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8 + src/sec-updater/sec-updater.8 ]) AC_OUTPUT diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 66debc226..bdc3e2ebc 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -1,12 +1,12 @@ -CPPFLAGS = @CPPFLAGS@ \ +AM_CPPFLAGS = @CPPFLAGS@ \ -I$(top_srcdir)/src/libstrongswan \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS="\"${fuzz_plugins}\"" -LDFLAGS = @LDFLAGS@ ${libfuzzer} \ +fuzz_ldflags = ${libfuzzer} \ $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ - -stdlib=libc++ -lstdc++ + @FUZZING_LDFLAGS@ FUZZ_TARGETS=fuzz_certs @@ -14,5 +14,18 @@ all-local: $(FUZZ_TARGETS) CLEANFILES=$(FUZZ_TARGETS) -fuzz_certs: fuzz_certs.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(LDFLAGS) +fuzz_certs: fuzz_certs.c ${libfuzzer} + $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags) + +noinst_LIBRARIES = libFuzzerLocal.a +libFuzzerLocal_a_SOURCES = libFuzzerLocal.c +libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la + +check: all + for f in $(FUZZ_TARGETS); do \ + corpus=$${f#fuzz_}; \ + corpus=$${corpus%%_*}; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ + test ! -d $${crashes} || ./$$f $${crashes}/*; \ + done diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in index 8306f44ec..31b590273 100644 --- a/fuzz/Makefile.in +++ b/fuzz/Makefile.in @@ -13,6 +13,7 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -106,6 +107,17 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +LIBRARIES = $(noinst_LIBRARIES) +ARFLAGS = cru +AM_V_AR = $(am__v_AR_@AM_V@) +am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) +am__v_AR_0 = @echo " AR " $@; +am__v_AR_1 = +libFuzzerLocal_a_AR = $(AR) $(ARFLAGS) +libFuzzerLocal_a_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la +am_libFuzzerLocal_a_OBJECTS = libFuzzerLocal.$(OBJEXT) +libFuzzerLocal_a_OBJECTS = $(am_libFuzzerLocal_a_OBJECTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -118,15 +130,59 @@ AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = -SOURCES = -DIST_SOURCES = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libFuzzerLocal_a_SOURCES) +DIST_SOURCES = $(libFuzzerLocal_a_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(srcdir)/Makefile.in +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -146,11 +202,7 @@ CFLAGS = @CFLAGS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ \ - -I$(top_srcdir)/src/libstrongswan \ - -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ - -DPLUGINS="\"${fuzz_plugins}\"" - +CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -165,9 +217,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -177,11 +231,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LCOV = @LCOV@ LD = @LD@ -LDFLAGS = @LDFLAGS@ ${libfuzzer} \ - $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ - -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ - -stdlib=libc++ -lstdc++ - +LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ @@ -372,11 +422,25 @@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = @CPPFLAGS@ \ + -I$(top_srcdir)/src/libstrongswan \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS="\"${fuzz_plugins}\"" + +fuzz_ldflags = ${libfuzzer} \ + $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ + -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ + @FUZZING_LDFLAGS@ + FUZZ_TARGETS = fuzz_certs CLEANFILES = $(FUZZ_TARGETS) +noinst_LIBRARIES = libFuzzerLocal.a +libFuzzerLocal_a_SOURCES = libFuzzerLocal.c +libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am .SUFFIXES: +.SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -407,17 +471,103 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-noinstLIBRARIES: + -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) + +libFuzzerLocal.a: $(libFuzzerLocal_a_OBJECTS) $(libFuzzerLocal_a_DEPENDENCIES) $(EXTRA_libFuzzerLocal_a_DEPENDENCIES) + $(AM_V_at)-rm -f libFuzzerLocal.a + $(AM_V_AR)$(libFuzzerLocal_a_AR) libFuzzerLocal.a $(libFuzzerLocal_a_OBJECTS) $(libFuzzerLocal_a_LIBADD) + $(AM_V_at)$(RANLIB) libFuzzerLocal.a + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libFuzzerLocal.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -tags TAGS: -ctags CTAGS: - -cscope cscopelist: +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @@ -451,7 +601,7 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile all-local +all-am: Makefile $(LIBRARIES) all-local installdirs: install: install-am install-exec: install-exec-am @@ -486,11 +636,14 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool mostlyclean-am +clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ + mostlyclean-am distclean: distclean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile -distclean-am: clean-am distclean-generic +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags dvi: dvi-am @@ -533,12 +686,14 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am -mostlyclean-am: mostlyclean-generic mostlyclean-libtool +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf: pdf-am @@ -552,26 +707,36 @@ uninstall-am: .MAKE: install-am install-strip -.PHONY: all all-am all-local check check-am clean clean-generic \ - clean-libtool cscopelist-am ctags-am distclean \ - distclean-generic distclean-libtool distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am +.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-am clean \ + clean-generic clean-libtool clean-noinstLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am .PRECIOUS: Makefile all-local: $(FUZZ_TARGETS) -fuzz_certs: fuzz_certs.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(LDFLAGS) +fuzz_certs: fuzz_certs.c ${libfuzzer} + $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags) + +check: all + for f in $(FUZZ_TARGETS); do \ + corpus=$${f#fuzz_}; \ + corpus=$${corpus%%_*}; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ + test ! -d $${crashes} || ./$$f $${crashes}/*; \ + done # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/fuzz/libFuzzerLocal.c b/fuzz/libFuzzerLocal.c new file mode 100644 index 000000000..af5c50c66 --- /dev/null +++ b/fuzz/libFuzzerLocal.c @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <library.h> + +extern int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size); +__attribute__((weak)) extern int LLVMFuzzerInitialize(int *argc, char ***argv); + +/** + * This is a simple driver for the fuzz targets to verify test inputs outside + * of OSS-Fuzz. + * + * Failures will usually cause crashes. + */ +int main(int argc, char **argv) +{ + chunk_t *data; + int i, res = 0; + + fprintf(stderr, "%s: running %d inputs\n", argv[0], argc - 1); + if (LLVMFuzzerInitialize) + { + LLVMFuzzerInitialize(&argc, &argv); + } + for (i = 1; i < argc; i++) + { + fprintf(stderr, "running: %s\n", argv[i]); + data = chunk_map(argv[i], FALSE); + if (!data) + { + fprintf(stderr, "opening %s failed: %s\n", argv[i], strerror(errno)); + return 1; + } + res = LLVMFuzzerTestOneInput(data->ptr, data->len); + fprintf(stderr, "done: %s: (%zd bytes)\n", argv[i], data->len); + chunk_unmap(data); + if (res) + { + break; + } + } + fprintf(stderr, "%s: completed %d inputs\n", argv[0], i-1); + return res; +} diff --git a/init/Makefile.in b/init/Makefile.in index a0b2b9bca..2db9855d3 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -223,9 +223,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in index b68958d46..a1af33e03 100644 --- a/init/systemd-swanctl/Makefile.in +++ b/init/systemd-swanctl/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index 3e20f5c7f..f79f43a13 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/man/Makefile.in b/man/Makefile.in index 795505a14..9b793627d 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -197,9 +197,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 69aeba8cb..774df75ac 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -631,6 +631,12 @@ constraint (without ike: prefix) will also apply to IKEv2 authentication, unless this is disabled in .BR strongswan.conf (5). +To use or require RSASSA-PSS signatures use rsa/pss instead of rsa as in e.g. +.BR ike:rsa/pss-sha256 . +If \fBpubkey\fR or \fBrsa\fR constraints are configured RSASSA-PSS signatures +will only be used/accepted if enabled in +.BR strongswan.conf (5). + For .BR eap , an optional EAP method can be appended. Currently defined methods are @@ -1031,8 +1037,8 @@ Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY below. .TP .BR mark " = <value>[/<mask>]" -sets an XFRM mark in the inbound and outbound -IPsec SAs and policies. If the mask is missing then a default +sets an XFRM mark on the inbound policy and outbound +IPsec SA and policy. If the mask is missing then a default mask of .B 0xffffffff is assumed. The special value @@ -1043,13 +1049,13 @@ make the mark unique for each IPsec SA direction (in/out) the special value may be used. .TP .BR mark_in " = <value>[/<mask>]" -sets an XFRM mark in the inbound IPsec SA and -policy. If the mask is missing then a default mask of +sets an XFRM mark on the inbound policy (not on the SA). If the mask is missing +then a default mask of .B 0xffffffff is assumed. .TP .BR mark_out " = <value>[/<mask>]" -sets an XFRM mark in the outbound IPsec SA and +sets an XFRM mark on the outbound IPsec SA and policy. If the mask is missing then a default mask of .B 0xffffffff is assumed. diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 1f1c37bc5..b13d3c5c6 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -305,9 +305,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/scripts/oid2der.c b/scripts/oid2der.c index 793c9804a..c8ab8df0f 100644 --- a/scripts/oid2der.c +++ b/scripts/oid2der.c @@ -23,9 +23,26 @@ int main(int argc, char *argv[]) { int i, nr = 0; chunk_t oid; + char *decoded; + bool decode = FALSE; + + if (streq(argv[1], "-d")) + { + decode = TRUE; + nr++; + } while (argc > ++nr) { + if (decode) + { + oid = chunk_from_hex(chunk_from_str(argv[nr]), NULL); + decoded = asn1_oid_to_string(oid); + printf("%s\n", decoded); + free(decoded); + free(oid.ptr); + continue; + } oid = asn1_oid_from_string(argv[nr]); if (oid.len) { diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c index 66279ada3..2928772b8 100644 --- a/scripts/pubkey_speed.c +++ b/scripts/pubkey_speed.c @@ -118,7 +118,7 @@ int main(int argc, char *argv[]) start_timing(&timing); for (round = 0; round < rounds; round++) { - if (!private->sign(private, scheme, data, &sigs[round])) + if (!private->sign(private, scheme, NULL, data, &sigs[round])) { printf("creating signature failed\n"); exit(1); @@ -135,7 +135,7 @@ int main(int argc, char *argv[]) start_timing(&timing); for (round = 0; round < rounds; round++) { - if (!public->verify(public, scheme, data, sigs[round])) + if (!public->verify(public, scheme, NULL, data, sigs[round])) { printf("signature verification failed\n"); exit(1); diff --git a/src/Makefile.am b/src/Makefile.am index 1bdb8337c..7bef1a5dd 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -132,6 +132,10 @@ if USE_IMC_SWIMA SUBDIRS += sw-collector endif +if USE_IMV_SWIMA + SUBDIRS += sec-updater +endif + if USE_INTEGRITY_TEST SUBDIRS += checksum endif diff --git a/src/Makefile.in b/src/Makefile.in index 84d2ad9a1..baae1e09a 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -120,8 +120,9 @@ host_triplet = @host@ @USE_SVC_TRUE@am__append_31 = charon-svc @USE_LIBPTTLS_TRUE@am__append_32 = pt-tls-client @USE_IMC_SWIMA_TRUE@am__append_33 = sw-collector -@USE_INTEGRITY_TEST_TRUE@am__append_34 = checksum -@USE_AIKGEN_TRUE@am__append_35 = aikgen +@USE_IMV_SWIMA_TRUE@am__append_34 = sec-updater +@USE_INTEGRITY_TEST_TRUE@am__append_35 = checksum +@USE_AIKGEN_TRUE@am__append_36 = aikgen subdir = src ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -200,7 +201,7 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \ libcharon starter ipsec _copyright charon charon-systemd \ charon-nm stroke _updown scepclient pki swanctl conftest dumm \ libfast manager medsrv pool charon-tkm charon-cmd charon-svc \ - pt-tls-client sw-collector checksum aikgen + pt-tls-client sw-collector sec-updater checksum aikgen am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ @@ -261,9 +262,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -475,7 +478,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_25) $(am__append_26) $(am__append_27) \ $(am__append_28) $(am__append_29) $(am__append_30) \ $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) $(am__append_35) + $(am__append_34) $(am__append_35) $(am__append_36) all: all-recursive .SUFFIXES: diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 5ba747ac7..af7a95df3 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -213,9 +213,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index c51d65dd5..86aca5ff9 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in index 61fcaf86c..7986a1d09 100644 --- a/src/aikgen/Makefile.in +++ b/src/aikgen/Makefile.in @@ -214,9 +214,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in index ea492f957..b9fe0b7f6 100644 --- a/src/charon-cmd/Makefile.in +++ b/src/charon-cmd/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index 6733a3321..3cff97e7c 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in index 263c6a3fb..8da578457 100644 --- a/src/charon-svc/Makefile.in +++ b/src/charon-svc/Makefile.in @@ -214,9 +214,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in index 9697c426b..f28204b33 100644 --- a/src/charon-systemd/Makefile.in +++ b/src/charon-systemd/Makefile.in @@ -218,9 +218,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index 258f33b0f..c2762f031 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index a4d4d0cf5..7f014237a 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,6 +24,7 @@ #include <sys/types.h> #include <unistd.h> #include <libgen.h> +#include <fcntl.h> #include <errno.h> #include <daemon.h> @@ -50,6 +51,11 @@ static tkm_listener_t *listener; /** + * Name of the daemon + */ +static char *dmn_name; + +/** * PID file, in which charon-tkm stores its process id */ static char *pidfile_name = NULL; @@ -186,8 +192,11 @@ static bool check_pidfile() pid = atoi(buf); } fclose(pidfile); + pidfile = NULL; if (pid && kill(pid, 0) == 0) - { /* such a process is running */ + { + DBG1(DBG_DMN, "%s already running ('%s' exists)", dmn_name, + pidfile_name); return TRUE; } } @@ -199,13 +208,31 @@ static bool check_pidfile() pidfile = fopen(pidfile_name, "w"); if (pidfile) { - ignore_result(fchown(fileno(pidfile), + int fd; + + fd = fileno(pidfile); + if (fd == -1) + { + DBG1(DBG_DMN, "unable to determine fd for '%s'", pidfile_name); + return TRUE; + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) + { + DBG1(DBG_LIB, "setting FD_CLOEXEC for '%s' failed: %s", + pidfile_name, strerror(errno)); + } + ignore_result(fchown(fd, lib->caps->get_uid(lib->caps), lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); + return FALSE; + } + else + { + DBG1(DBG_DMN, "unable to create pidfile '%s'", pidfile_name); + return TRUE; } - return FALSE; } /** @@ -221,15 +248,15 @@ static void unlink_pidfile() { ignore_result(ftruncate(fileno(pidfile), 0)); fclose(pidfile); + unlink(pidfile_name); } - unlink(pidfile_name); } + /** * Main function, starts TKM backend. */ int main(int argc, char *argv[]) { - char *dmn_name; if (argc > 0 && strlen(argv[0]) > 0) { dmn_name = basename(argv[0]); @@ -322,8 +349,6 @@ int main(int argc, char *argv[]) if (check_pidfile()) { - DBG1(DBG_DMN, "%s already running (\"%s\" exists)", dmn_name, - pidfile_name); goto deinit; } @@ -372,8 +397,6 @@ int main(int argc, char *argv[]) /* main thread goes to run loop */ run(); - unlink_pidfile(); - free(pidfile_name); status = 0; charon->bus->remove_listener(charon->bus, &listener->listener); listener->destroy(listener); @@ -384,6 +407,8 @@ deinit: destroy_dh_mapping(); libcharon_deinit(); tkm_deinit(); + unlink_pidfile(); + free(pidfile_name); library_deinit(); return status; } diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c index d8ff6753f..9a2ede03e 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.c +++ b/src/charon-tkm/src/tkm/tkm_id_manager.c @@ -43,7 +43,7 @@ struct private_tkm_id_manager_t { /** * Per-kind array of free context ids */ - bool* ctxids[TKM_CTX_MAX]; + int* ctxids[TKM_CTX_MAX]; /** * Per-kind context limits. @@ -85,9 +85,9 @@ METHOD(tkm_id_manager_t, acquire_id, int, this->locks[kind]->write_lock(this->locks[kind]); for (j = 0; j < this->limits[kind]; j++) { - if (!this->ctxids[kind][j]) + if (this->ctxids[kind][j] == 0) { - this->ctxids[kind][j] = true; + this->ctxids[kind][j] = 1; id = j + 1; break; } @@ -103,24 +103,55 @@ METHOD(tkm_id_manager_t, acquire_id, int, return id; } -METHOD(tkm_id_manager_t, release_id, bool, +METHOD(tkm_id_manager_t, acquire_ref, bool, + private_tkm_id_manager_t * const this, const tkm_context_kind_t kind, + const int ref_id) +{ + const int idx = ref_id - 1; + + if (!is_valid_kind(kind)) + { + DBG1(DBG_LIB, "tried to acquire reference for invalid context kind '%d'", + kind); + return FALSE; + } + + if (ref_id < 1 || (uint64_t)ref_id > this->limits[kind]) + { + DBG1(DBG_LIB, "tried to acquire reference for context id %d out of " + "bounds (max %llu)", ref_id, this->limits[kind]); + return FALSE; + } + + this->locks[kind]->write_lock(this->locks[kind]); + this->ctxids[kind][idx]++; + this->locks[kind]->unlock(this->locks[kind]); + + return TRUE; +} + +METHOD(tkm_id_manager_t, release_id, int, private_tkm_id_manager_t * const this, const tkm_context_kind_t kind, const int id) { const int idx = id - 1; + int refcount = 0; if (!is_valid_kind(kind)) { DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'", id, kind); - return FALSE; + return -1; } this->locks[kind]->write_lock(this->locks[kind]); - this->ctxids[kind][idx] = false; + if (this->ctxids[kind][idx] > 0) + { + refcount = --this->ctxids[kind][idx]; + } this->locks[kind]->unlock(this->locks[kind]); - return TRUE; + return refcount; } @@ -147,6 +178,7 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits) INIT(this, .public = { .acquire_id = _acquire_id, + .acquire_ref = _acquire_ref, .release_id = _release_id, .destroy = _destroy, }, @@ -155,7 +187,7 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits) for (i = 0; i < TKM_CTX_MAX; i++) { this->limits[i] = limits[i]; - this->ctxids[i] = calloc(limits[i], sizeof(bool)); + this->ctxids[i] = calloc(limits[i], sizeof(int)); this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT); DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i, limits[i]); diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.h b/src/charon-tkm/src/tkm/tkm_id_manager.h index 0fc9ff8ef..1c48b57f1 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.h +++ b/src/charon-tkm/src/tkm/tkm_id_manager.h @@ -74,15 +74,27 @@ struct tkm_id_manager_t { const tkm_context_kind_t kind); /** + * Acquire reference to given context id for a specific context kind. + * + * @param kind kind of context id + * @param ref_id id to acquire a reference for + * @return TRUE if reference could be acquired, + * FALSE otherwise + */ + bool (*acquire_ref)(tkm_id_manager_t * const this, + const tkm_context_kind_t kind, + const int ref_id); + + /** * Release a previously acquired context id. * * @param kind kind of context id to release * @param id id to release - * @return TRUE if id was released, FALSE otherwise + * @return current refcount if id was released, -1 otherwise */ - bool (*release_id)(tkm_id_manager_t * const this, - const tkm_context_kind_t kind, - const int id); + int (*release_id)(tkm_id_manager_t * const this, + const tkm_context_kind_t kind, + const int id); /** * Destroy a tkm_id_manager instance. diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 5decde92b..48dd40aa5 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -134,6 +134,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); + if (esa_id == 0) + { + DBG1(DBG_KNL, "unable to acquire esa context id"); + goto esa_id_failure; + } + if (!tkm->sad->insert(tkm->sad, esa_id, data->reqid, local, peer, spi_loc, spi_rem, id->proto)) { @@ -193,9 +199,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return SUCCESS; failure: + ike_esa_reset(esa_id); tkm->sad->remove(tkm->sad, esa_id); sad_failure: tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id); +esa_id_failure: chunk_free(&esa.nonce_i); chunk_free(&esa.nonce_r); return FAILED; diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index a24760445..ed5366c2c 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -279,8 +279,15 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, } isa_info = *((isa_info_t *)(rekey_skd.ptr)); DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu," - "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id, + " dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id, isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem); + + if (!tkm->idmgr->acquire_ref(tkm->idmgr, TKM_CTX_AE, isa_info.ae_id)) + { + DBG1(DBG_IKE, "unable to acquire reference for ae: %llu", + isa_info.ae_id); + return FALSE; + } this->ae_ctx_id = isa_info.ae_id; res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1, dh_id, nc_id, nonce_rem, this->initiator, @@ -416,11 +423,6 @@ METHOD(keymat_v2_t, get_skd, pseudo_random_function_t, *skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t)); - /* - * remove ae context id, since control has now been handed over to the new - * IKE SA keymat - */ - this->ae_ctx_id = 0; return PRF_HMAC_SHA2_512; } @@ -462,11 +464,12 @@ METHOD(keymat_t, destroy, void, /* only reset ae context if set */ if (this->ae_ctx_id != 0) { - if (ike_ae_reset(this->ae_ctx_id) != TKM_OK) + int count; + count = tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id); + if (count == 0 && ike_ae_reset(this->ae_ctx_id) != TKM_OK) { DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id); } - tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id); } DESTROY_IF(this->hash_algorithms); diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c index db57ec1c7..891b579ee 100644 --- a/src/charon-tkm/src/tkm/tkm_private_key.c +++ b/src/charon-tkm/src/tkm/tkm_private_key.c @@ -14,6 +14,7 @@ * for more details. */ +#include <library.h> #include <utils/debug.h> #include <tkm/constants.h> #include <tkm/client.h> @@ -58,7 +59,7 @@ METHOD(private_key_t, get_type, key_type_t, } METHOD(private_key_t, sign, bool, - private_tkm_private_key_t *this, signature_scheme_t scheme, + private_tkm_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { signature_type sig; diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c index 9ebdc29e6..2a14a9bdd 100644 --- a/src/charon-tkm/src/tkm/tkm_public_key.c +++ b/src/charon-tkm/src/tkm/tkm_public_key.c @@ -14,6 +14,7 @@ * for more details. */ +#include <library.h> #include <utils/debug.h> #include "tkm_public_key.h" @@ -53,7 +54,7 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_tkm_public_key_t *this, signature_scheme_t scheme, + private_tkm_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { return TRUE; diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c index 8157496ca..fb5e56a05 100644 --- a/src/charon-tkm/tests/id_manager_tests.c +++ b/src/charon-tkm/tests/id_manager_tests.c @@ -84,21 +84,85 @@ START_TEST(test_acquire_id_same) } END_TEST -START_TEST(test_release_id) +START_TEST(test_acquire_ref) { int i, id = 0; - bool released = false; + bool acquired = false; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + for (i = 0; i < TKM_CTX_MAX; i++) + { + id = idmgr->acquire_id(idmgr, i); + acquired = idmgr->acquire_ref(idmgr, i, id); + fail_unless(acquired, "Error acquiring reference context kind %d", i); + + /* Reset test variable */ + acquired = false; + } + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_acquire_ref_invalid_kind) +{ + bool acquired; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + acquired = idmgr->acquire_ref(idmgr, TKM_CTX_MAX, 1); + fail_if(acquired, "Acquired reference for invalid context kind %d", TKM_CTX_MAX); + + /* Reset test variable */ + acquired = 0; + + acquired = idmgr->acquire_ref(idmgr, -1, 1); + fail_if(acquired, "Acquired reference for invalid context kind %d", -1); + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_acquire_ref_invalid_id) +{ + int i; + bool acquired; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + for (i = 0; i < TKM_CTX_MAX; i++) + { + acquired = idmgr->acquire_ref(idmgr, i, -1); + fail_if(acquired, + "Acquired reference for negative id of context kind %d", i); + + /* Reset test variable */ + acquired = false; + + acquired = idmgr->acquire_ref(idmgr, i, limits[i] + 1); + fail_if(acquired, + "Acquired reference exceeding limit of context kind %d", i); + + /* Reset test variable */ + acquired = false; + } + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_release_id) +{ + int i, count, id = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); for (i = 0; i < TKM_CTX_MAX; i++) { id = idmgr->acquire_id(idmgr, i); - released = idmgr->release_id(idmgr, i, id); + count = idmgr->release_id(idmgr, i, id); - fail_unless(released, "Error releasing id of context kind %d", i); + fail_unless(count == 0, "Error releasing id of context kind %d", i); - /* Reset released variable */ - released = FALSE; + /* Reset count variable */ + count = 0; } idmgr->destroy(idmgr); @@ -107,17 +171,17 @@ END_TEST START_TEST(test_release_id_invalid_kind) { - bool released = TRUE; + int count = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); - released = idmgr->release_id(idmgr, TKM_CTX_MAX, 1); - fail_if(released, "Released id for invalid context kind %d", TKM_CTX_MAX); + count = idmgr->release_id(idmgr, TKM_CTX_MAX, 1); + fail_if(count >= 0, "Released id for invalid context kind %d", TKM_CTX_MAX); /* Reset test variable */ - released = TRUE; + count = 0; - released = idmgr->release_id(idmgr, -1, 1); - fail_if(released, "Released id for invalid context kind %d", -1); + count = idmgr->release_id(idmgr, -1, 1); + fail_if(count >= 0, "Released id for invalid context kind %d", -1); idmgr->destroy(idmgr); } @@ -125,11 +189,11 @@ END_TEST START_TEST(test_release_id_nonexistent) { - bool released = FALSE; + int count = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); - released = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1); - fail_unless(released, "Release of nonexistent id failed"); + count = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1); + fail_unless(count == 0, "Release of nonexistent id failed"); idmgr->destroy(idmgr); } @@ -150,6 +214,9 @@ Suite *make_id_manager_tests() tcase_add_test(tc, test_acquire_id); tcase_add_test(tc, test_acquire_id_invalid_kind); tcase_add_test(tc, test_acquire_id_same); + tcase_add_test(tc, test_acquire_ref); + tcase_add_test(tc, test_acquire_ref_invalid_kind); + tcase_add_test(tc, test_acquire_ref_invalid_id); suite_add_tcase(s, tc); tc = tcase_create("release"); diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c index 39d8a790a..59ff77b68 100644 --- a/src/charon-tkm/tests/kernel_sad_tests.c +++ b/src/charon-tkm/tests/kernel_sad_tests.c @@ -123,11 +123,11 @@ START_TEST(test_remove) tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 23, "Error getting esa id"); fail_unless(sad->remove(sad, 23), "Error removing SAD entry"); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0, + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 0, "Got esa id for removed SAD entry"); sad->destroy(sad); addr->destroy(addr); diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 9c5283cd7..14bde277c 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -217,9 +217,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon/charon.c b/src/charon/charon.c index 520cb3c74..f23717034 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -1,9 +1,9 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -203,8 +203,10 @@ static bool check_pidfile() pid = atoi(buf); } fclose(pidfile); + pidfile = NULL; if (pid && kill(pid, 0) == 0) - { /* such a process is running */ + { + DBG1(DBG_DMN, "charon already running ('"PID_FILE"' exists)"); return TRUE; } } @@ -219,18 +221,28 @@ static bool check_pidfile() int fd; fd = fileno(pidfile); - if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) + if (fd == -1) + { + DBG1(DBG_DMN, "unable to determine fd for '"PID_FILE"'"); + return TRUE; + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s", strerror(errno)); } - ignore_result(fchown(fileno(pidfile), + ignore_result(fchown(fd, lib->caps->get_uid(lib->caps), lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); + return FALSE; + } + else + { + DBG1(DBG_DMN, "unable to create pidfile '"PID_FILE"'"); + return TRUE; } - return FALSE; } /** @@ -246,8 +258,8 @@ static void unlink_pidfile() { ignore_result(ftruncate(fileno(pidfile), 0)); fclose(pidfile); + unlink(PID_FILE); } - unlink(PID_FILE); } /** @@ -402,7 +414,6 @@ int main(int argc, char *argv[]) if (check_pidfile()) { - DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)"); goto deinit; } @@ -434,12 +445,11 @@ int main(int argc, char *argv[]) /* main thread goes to run loop */ run(); - /* normal termination, cleanup and exit */ - unlink_pidfile(); status = 0; deinit: libcharon_deinit(); + unlink_pidfile(); library_deinit(); return status; } diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 1856e2a31..107b26c31 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -130,6 +130,10 @@ if USE_IMC_SWIMA exes += $(DESTDIR)$(sbindir)/sw-collector endif +if USE_IMV_SWIMA + exes += $(DESTDIR)$(sbindir)/sec-updater +endif + checksum.c : checksum_builder $(deps) $(exes) ./checksum_builder $(libs) $(exes) > checksum.c diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 87e78a99f..f46302994 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -123,6 +123,7 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT) @USE_IMV_ATTESTATION_TRUE@am__append_32 = $(DESTDIR)$(ipsecdir)/attest @USE_LIBPTTLS_TRUE@am__append_33 = $(DESTDIR)$(bindir)/pt-tls-client @USE_IMC_SWIMA_TRUE@am__append_34 = $(DESTDIR)$(sbindir)/sw-collector +@USE_IMV_SWIMA_TRUE@am__append_35 = $(DESTDIR)$(sbindir)/sec-updater subdir = src/checksum ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -288,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -528,7 +531,7 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \ exes = $(am__append_24) $(am__append_26) $(am__append_27) \ $(am__append_28) $(am__append_29) $(am__append_30) \ $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) + $(am__append_34) $(am__append_35) all: all-am .SUFFIXES: diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index 4f33d9891..1ea430c63 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -231,9 +231,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c index d80196ed6..4be6f45db 100644 --- a/src/conftest/hooks/pretend_auth.c +++ b/src/conftest/hooks/pretend_auth.c @@ -244,7 +244,7 @@ static bool build_auth(private_pretend_auth_t *this, private->destroy(private); return FALSE; } - if (!private->sign(private, scheme, octets, &auth_data)) + if (!private->sign(private, scheme, NULL, octets, &auth_data)) { chunk_free(&octets); private->destroy(private); diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c index b2df278a5..bc20292a1 100644 --- a/src/conftest/hooks/rebuild_auth.c +++ b/src/conftest/hooks/rebuild_auth.c @@ -143,7 +143,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, id->destroy(id); return FALSE; } - if (!private->sign(private, scheme, octets, &auth_data)) + if (!private->sign(private, scheme, NULL, octets, &auth_data)) { chunk_free(&octets); private->destroy(private); diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 6c7cc4176..50b0abb64 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -258,9 +258,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index dde85cb09..4106494db 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 494dc45ee..46715938e 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -194,9 +194,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index b23b04207..17c918f60 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.6.0dr1" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.6.1rc1" "strongSwan" . .SH NAME . diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 65fadf2de..283abdcd5 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -310,7 +310,7 @@ aikgen|pki) command_dir="$IPSEC_BINDIR" # fall through ;; -attest|conftest|dumm|irdumm|pacman|pool|pt-tls-client|scepclient|stroke|\ +attest|conftest|dumm|irdumm|pool|pt-tls-client|scepclient|stroke|\ duplicheck|error-notify|imv_policy_manager|load-tester|lookip|whitelist|\ _updown|_imv_policy) # fall through diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index ed2236e04..964a19ec8 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -258,6 +258,13 @@ if MONOLITHIC endif endif +if USE_COUNTERS + SUBDIRS += plugins/counters +if MONOLITHIC + libcharon_la_LIBADD += plugins/counters/libstrongswan-counters.la +endif +endif + if USE_STROKE SUBDIRS += plugins/stroke if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index fc6635826..d3cbb0fb6 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -169,134 +169,136 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_19 = plugins/forecast/libstrongswan-forecast.la @USE_FARP_TRUE@am__append_20 = plugins/farp @MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_21 = plugins/farp/libstrongswan-farp.la -@USE_STROKE_TRUE@am__append_22 = plugins/stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_23 = plugins/stroke/libstrongswan-stroke.la -@USE_VICI_TRUE@am__append_24 = plugins/vici -@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_25 = plugins/vici/libstrongswan-vici.la -@USE_SMP_TRUE@am__append_26 = plugins/smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_27 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_28 = plugins/sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_29 = plugins/sql/libstrongswan-sql.la -@USE_DNSCERT_TRUE@am__append_30 = plugins/dnscert -@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_31 = plugins/dnscert/libstrongswan-dnscert.la -@USE_IPSECKEY_TRUE@am__append_32 = plugins/ipseckey -@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_33 = plugins/ipseckey/libstrongswan-ipseckey.la -@USE_UPDOWN_TRUE@am__append_34 = plugins/updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_35 = plugins/updown/libstrongswan-updown.la -@USE_EXT_AUTH_TRUE@am__append_36 = plugins/ext_auth -@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_37 = plugins/ext_auth/libstrongswan-ext-auth.la -@USE_EAP_IDENTITY_TRUE@am__append_38 = plugins/eap_identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_39 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_40 = plugins/eap_sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_41 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_42 = plugins/eap_sim_file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_43 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIM_PCSC_TRUE@am__append_44 = plugins/eap_sim_pcsc -@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_45 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_46 = plugins/eap_simaka_sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_47 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_48 = plugins/eap_simaka_pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_49 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_50 = plugins/eap_simaka_reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_51 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_52 = plugins/eap_aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_53 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP_TRUE@am__append_54 = plugins/eap_aka_3gpp -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_55 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_56 = plugins/eap_aka_3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_57 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_58 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_59 = plugins/eap_md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_60 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_61 = plugins/eap_gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_62 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_63 = plugins/eap_mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_64 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_DYNAMIC_TRUE@am__append_65 = plugins/eap_dynamic -@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_66 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la -@USE_EAP_RADIUS_TRUE@am__append_67 = plugins/eap_radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_68 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_EAP_TLS_TRUE@am__append_69 = plugins/eap_tls -@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_70 = plugins/eap_tls/libstrongswan-eap-tls.la -@USE_EAP_TTLS_TRUE@am__append_71 = plugins/eap_ttls -@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_72 = plugins/eap_ttls/libstrongswan-eap-ttls.la -@USE_EAP_PEAP_TRUE@am__append_73 = plugins/eap_peap -@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_74 = plugins/eap_peap/libstrongswan-eap-peap.la -@USE_EAP_TNC_TRUE@am__append_75 = plugins/eap_tnc -@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_76 = plugins/eap_tnc/libstrongswan-eap-tnc.la -@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_77 = $(top_builddir)/src/libtls/libtls.la -@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_78 = $(top_builddir)/src/libradius/libradius.la -@USE_TNC_IFMAP_TRUE@am__append_79 = plugins/tnc_ifmap -@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_80 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la -@USE_TNC_PDP_TRUE@am__append_81 = plugins/tnc_pdp -@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_82 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la -@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_83 = $(top_builddir)/src/libtnccs/libtnccs.la -@USE_MEDSRV_TRUE@am__append_84 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_85 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_86 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_87 = plugins/medcli/libstrongswan-medcli.la -@USE_DHCP_TRUE@am__append_88 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_89 = plugins/dhcp/libstrongswan-dhcp.la -@USE_OSX_ATTR_TRUE@am__append_90 = plugins/osx_attr -@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_91 = plugins/osx_attr/libstrongswan-osx-attr.la -@USE_P_CSCF_TRUE@am__append_92 = plugins/p_cscf -@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_93 = plugins/p_cscf/libstrongswan-p-cscf.la -@USE_ANDROID_DNS_TRUE@am__append_94 = plugins/android_dns -@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_95 = plugins/android_dns/libstrongswan-android-dns.la -@USE_ANDROID_LOG_TRUE@am__append_96 = plugins/android_log -@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_97 = plugins/android_log/libstrongswan-android-log.la -@USE_HA_TRUE@am__append_98 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_99 = plugins/ha/libstrongswan-ha.la -@USE_KERNEL_PFKEY_TRUE@am__append_100 = plugins/kernel_pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_101 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_102 = plugins/kernel_pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_103 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_NETLINK_TRUE@am__append_104 = plugins/kernel_netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_105 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_KERNEL_LIBIPSEC_TRUE@am__append_106 = plugins/kernel_libipsec -@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_107 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la -@USE_KERNEL_WFP_TRUE@am__append_108 = plugins/kernel_wfp -@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_109 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la -@USE_KERNEL_IPH_TRUE@am__append_110 = plugins/kernel_iph -@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_111 = plugins/kernel_iph/libstrongswan-kernel-iph.la -@USE_WHITELIST_TRUE@am__append_112 = plugins/whitelist -@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_113 = plugins/whitelist/libstrongswan-whitelist.la -@USE_LOOKIP_TRUE@am__append_114 = plugins/lookip -@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_115 = plugins/lookip/libstrongswan-lookip.la -@USE_ERROR_NOTIFY_TRUE@am__append_116 = plugins/error_notify -@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_117 = plugins/error_notify/libstrongswan-error-notify.la -@USE_CERTEXPIRE_TRUE@am__append_118 = plugins/certexpire -@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_119 = plugins/certexpire/libstrongswan-certexpire.la -@USE_SYSTIME_FIX_TRUE@am__append_120 = plugins/systime_fix -@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_121 = plugins/systime_fix/libstrongswan-systime-fix.la -@USE_LED_TRUE@am__append_122 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_123 = plugins/led/libstrongswan-led.la -@USE_DUPLICHECK_TRUE@am__append_124 = plugins/duplicheck -@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_125 = plugins/duplicheck/libstrongswan-duplicheck.la -@USE_COUPLING_TRUE@am__append_126 = plugins/coupling -@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_127 = plugins/coupling/libstrongswan-coupling.la -@USE_RADATTR_TRUE@am__append_128 = plugins/radattr -@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_129 = plugins/radattr/libstrongswan-radattr.la -@USE_UCI_TRUE@am__append_130 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_131 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_132 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_133 = plugins/addrblock/libstrongswan-addrblock.la -@USE_UNITY_TRUE@am__append_134 = plugins/unity -@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_135 = plugins/unity/libstrongswan-unity.la -@USE_XAUTH_GENERIC_TRUE@am__append_136 = plugins/xauth_generic -@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_137 = plugins/xauth_generic/libstrongswan-xauth-generic.la -@USE_XAUTH_EAP_TRUE@am__append_138 = plugins/xauth_eap -@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_139 = plugins/xauth_eap/libstrongswan-xauth-eap.la -@USE_XAUTH_PAM_TRUE@am__append_140 = plugins/xauth_pam -@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_141 = plugins/xauth_pam/libstrongswan-xauth-pam.la -@USE_XAUTH_NOAUTH_TRUE@am__append_142 = plugins/xauth_noauth -@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_143 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la -@USE_RESOLVE_TRUE@am__append_144 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_145 = plugins/resolve/libstrongswan-resolve.la -@USE_ATTR_TRUE@am__append_146 = plugins/attr -@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_147 = plugins/attr/libstrongswan-attr.la -@USE_ATTR_SQL_TRUE@am__append_148 = plugins/attr_sql -@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_149 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_COUNTERS_TRUE@am__append_22 = plugins/counters +@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_23 = plugins/counters/libstrongswan-counters.la +@USE_STROKE_TRUE@am__append_24 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_25 = plugins/stroke/libstrongswan-stroke.la +@USE_VICI_TRUE@am__append_26 = plugins/vici +@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_27 = plugins/vici/libstrongswan-vici.la +@USE_SMP_TRUE@am__append_28 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_29 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_30 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_31 = plugins/sql/libstrongswan-sql.la +@USE_DNSCERT_TRUE@am__append_32 = plugins/dnscert +@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_33 = plugins/dnscert/libstrongswan-dnscert.la +@USE_IPSECKEY_TRUE@am__append_34 = plugins/ipseckey +@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_35 = plugins/ipseckey/libstrongswan-ipseckey.la +@USE_UPDOWN_TRUE@am__append_36 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_37 = plugins/updown/libstrongswan-updown.la +@USE_EXT_AUTH_TRUE@am__append_38 = plugins/ext_auth +@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_39 = plugins/ext_auth/libstrongswan-ext-auth.la +@USE_EAP_IDENTITY_TRUE@am__append_40 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_41 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_42 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_43 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_44 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_45 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIM_PCSC_TRUE@am__append_46 = plugins/eap_sim_pcsc +@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_47 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_48 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_49 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_50 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_52 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_53 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_54 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_55 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP_TRUE@am__append_56 = plugins/eap_aka_3gpp +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_57 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_58 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_59 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_60 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_61 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_62 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_63 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_64 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_65 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_66 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_DYNAMIC_TRUE@am__append_67 = plugins/eap_dynamic +@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_68 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la +@USE_EAP_RADIUS_TRUE@am__append_69 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_70 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_71 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_72 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_73 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_74 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_PEAP_TRUE@am__append_75 = plugins/eap_peap +@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_76 = plugins/eap_peap/libstrongswan-eap-peap.la +@USE_EAP_TNC_TRUE@am__append_77 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_78 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_79 = $(top_builddir)/src/libtls/libtls.la +@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_80 = $(top_builddir)/src/libradius/libradius.la +@USE_TNC_IFMAP_TRUE@am__append_81 = plugins/tnc_ifmap +@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_82 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la +@USE_TNC_PDP_TRUE@am__append_83 = plugins/tnc_pdp +@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_84 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la +@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_85 = $(top_builddir)/src/libtnccs/libtnccs.la +@USE_MEDSRV_TRUE@am__append_86 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_87 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_88 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_89 = plugins/medcli/libstrongswan-medcli.la +@USE_DHCP_TRUE@am__append_90 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_91 = plugins/dhcp/libstrongswan-dhcp.la +@USE_OSX_ATTR_TRUE@am__append_92 = plugins/osx_attr +@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_93 = plugins/osx_attr/libstrongswan-osx-attr.la +@USE_P_CSCF_TRUE@am__append_94 = plugins/p_cscf +@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_95 = plugins/p_cscf/libstrongswan-p-cscf.la +@USE_ANDROID_DNS_TRUE@am__append_96 = plugins/android_dns +@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_97 = plugins/android_dns/libstrongswan-android-dns.la +@USE_ANDROID_LOG_TRUE@am__append_98 = plugins/android_log +@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_99 = plugins/android_log/libstrongswan-android-log.la +@USE_HA_TRUE@am__append_100 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_101 = plugins/ha/libstrongswan-ha.la +@USE_KERNEL_PFKEY_TRUE@am__append_102 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_103 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_104 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_105 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_NETLINK_TRUE@am__append_106 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_107 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la +@USE_KERNEL_LIBIPSEC_TRUE@am__append_108 = plugins/kernel_libipsec +@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_109 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la +@USE_KERNEL_WFP_TRUE@am__append_110 = plugins/kernel_wfp +@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_111 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la +@USE_KERNEL_IPH_TRUE@am__append_112 = plugins/kernel_iph +@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_113 = plugins/kernel_iph/libstrongswan-kernel-iph.la +@USE_WHITELIST_TRUE@am__append_114 = plugins/whitelist +@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_115 = plugins/whitelist/libstrongswan-whitelist.la +@USE_LOOKIP_TRUE@am__append_116 = plugins/lookip +@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_117 = plugins/lookip/libstrongswan-lookip.la +@USE_ERROR_NOTIFY_TRUE@am__append_118 = plugins/error_notify +@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_119 = plugins/error_notify/libstrongswan-error-notify.la +@USE_CERTEXPIRE_TRUE@am__append_120 = plugins/certexpire +@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_121 = plugins/certexpire/libstrongswan-certexpire.la +@USE_SYSTIME_FIX_TRUE@am__append_122 = plugins/systime_fix +@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_123 = plugins/systime_fix/libstrongswan-systime-fix.la +@USE_LED_TRUE@am__append_124 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_125 = plugins/led/libstrongswan-led.la +@USE_DUPLICHECK_TRUE@am__append_126 = plugins/duplicheck +@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_127 = plugins/duplicheck/libstrongswan-duplicheck.la +@USE_COUPLING_TRUE@am__append_128 = plugins/coupling +@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_129 = plugins/coupling/libstrongswan-coupling.la +@USE_RADATTR_TRUE@am__append_130 = plugins/radattr +@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_131 = plugins/radattr/libstrongswan-radattr.la +@USE_UCI_TRUE@am__append_132 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_133 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_134 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_135 = plugins/addrblock/libstrongswan-addrblock.la +@USE_UNITY_TRUE@am__append_136 = plugins/unity +@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_137 = plugins/unity/libstrongswan-unity.la +@USE_XAUTH_GENERIC_TRUE@am__append_138 = plugins/xauth_generic +@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_139 = plugins/xauth_generic/libstrongswan-xauth-generic.la +@USE_XAUTH_EAP_TRUE@am__append_140 = plugins/xauth_eap +@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_141 = plugins/xauth_eap/libstrongswan-xauth-eap.la +@USE_XAUTH_PAM_TRUE@am__append_142 = plugins/xauth_pam +@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_143 = plugins/xauth_pam/libstrongswan-xauth-pam.la +@USE_XAUTH_NOAUTH_TRUE@am__append_144 = plugins/xauth_noauth +@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_145 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_RESOLVE_TRUE@am__append_146 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_147 = plugins/resolve/libstrongswan-resolve.la +@USE_ATTR_TRUE@am__append_148 = plugins/attr +@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_149 = plugins/attr/libstrongswan-attr.la +@USE_ATTR_SQL_TRUE@am__append_150 = plugins/attr_sql +@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_151 = plugins/attr_sql/libstrongswan-attr-sql.la subdir = src/libcharon ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -359,11 +361,11 @@ libcharon_la_DEPENDENCIES = \ $(am__append_41) $(am__append_43) $(am__append_45) \ $(am__append_47) $(am__append_49) $(am__append_51) \ $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_58) $(am__append_60) $(am__append_62) \ + $(am__append_59) $(am__append_60) $(am__append_62) \ $(am__append_64) $(am__append_66) $(am__append_68) \ $(am__append_70) $(am__append_72) $(am__append_74) \ - $(am__append_76) $(am__append_77) $(am__append_78) \ - $(am__append_80) $(am__append_82) $(am__append_83) \ + $(am__append_76) $(am__append_78) $(am__append_79) \ + $(am__append_80) $(am__append_82) $(am__append_84) \ $(am__append_85) $(am__append_87) $(am__append_89) \ $(am__append_91) $(am__append_93) $(am__append_95) \ $(am__append_97) $(am__append_99) $(am__append_101) \ @@ -374,7 +376,8 @@ libcharon_la_DEPENDENCIES = \ $(am__append_127) $(am__append_129) $(am__append_131) \ $(am__append_133) $(am__append_135) $(am__append_137) \ $(am__append_139) $(am__append_141) $(am__append_143) \ - $(am__append_145) $(am__append_147) $(am__append_149) + $(am__append_145) $(am__append_147) $(am__append_149) \ + $(am__append_151) am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ attributes/attributes.h attributes/attribute_provider.h \ attributes/attribute_handler.h attributes/attribute_manager.c \ @@ -744,8 +747,8 @@ CTAGS = ctags DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/socket_dynamic plugins/socket_win plugins/connmark \ plugins/bypass_lan plugins/forecast plugins/farp \ - plugins/stroke plugins/vici plugins/smp plugins/sql \ - plugins/dnscert plugins/ipseckey plugins/updown \ + plugins/counters plugins/stroke plugins/vici plugins/smp \ + plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \ plugins/ext_auth plugins/eap_identity plugins/eap_sim \ plugins/eap_sim_file plugins/eap_sim_pcsc \ plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ @@ -825,9 +828,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -1157,12 +1162,12 @@ libcharon_la_LIBADD = \ $(am__append_37) $(am__append_39) $(am__append_41) \ $(am__append_43) $(am__append_45) $(am__append_47) \ $(am__append_49) $(am__append_51) $(am__append_53) \ - $(am__append_55) $(am__append_57) $(am__append_58) \ + $(am__append_55) $(am__append_57) $(am__append_59) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_77) $(am__append_78) $(am__append_80) \ - $(am__append_82) $(am__append_83) $(am__append_85) \ + $(am__append_78) $(am__append_79) $(am__append_80) \ + $(am__append_82) $(am__append_84) $(am__append_85) \ $(am__append_87) $(am__append_89) $(am__append_91) \ $(am__append_93) $(am__append_95) $(am__append_97) \ $(am__append_99) $(am__append_101) $(am__append_103) \ @@ -1173,7 +1178,7 @@ libcharon_la_LIBADD = \ $(am__append_129) $(am__append_131) $(am__append_133) \ $(am__append_135) $(am__append_137) $(am__append_139) \ $(am__append_141) $(am__append_143) $(am__append_145) \ - $(am__append_147) $(am__append_149) + $(am__append_147) $(am__append_149) $(am__append_151) EXTRA_DIST = Android.mk @STATIC_PLUGIN_CONSTRUCTORS_TRUE@BUILT_SOURCES = $(srcdir)/plugin_constructors.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c @@ -1190,12 +1195,12 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ -@MONOLITHIC_FALSE@ $(am__append_75) $(am__append_79) \ -@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_84) \ +@MONOLITHIC_FALSE@ $(am__append_75) $(am__append_77) \ +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ @MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ @@ -1211,7 +1216,8 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_134) $(am__append_136) \ @MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \ -@MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) tests +@MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) \ +@MONOLITHIC_FALSE@ $(am__append_150) tests # build optional plugins ######################## @@ -1228,12 +1234,12 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ -@MONOLITHIC_TRUE@ $(am__append_75) $(am__append_79) \ -@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_84) \ +@MONOLITHIC_TRUE@ $(am__append_75) $(am__append_77) \ +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ @MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ @@ -1249,7 +1255,8 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_134) $(am__append_136) \ @MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \ -@MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) . tests +@MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) \ +@MONOLITHIC_TRUE@ $(am__append_150) . tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index a102c459c..93904ec71 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -310,6 +310,9 @@ enum child_cfg_option_t { /** Force 96-bit truncation for SHA-256 */ OPT_SHA256_96 = (1<<6), + + /** Set mark on inbound SAs */ + OPT_MARK_IN_SA = (1<<7), }; /** diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 93300781d..64413204b 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -580,6 +580,7 @@ bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local) host = host_create_from_string(str, 0); if (host && addr->ip_equals(addr, host)) { + host->destroy(host); found = TRUE; break; } diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 6c71f78d3..46c3c9400 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -872,9 +872,10 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) case AUTH_AES_XCBC_96: case AUTH_AES_CMAC_96: case AUTH_HMAC_SHA1_96: - case AUTH_HMAC_MD5_96: add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); break; + case AUTH_HMAC_MD5_96: + /* no, thanks */ default: break; } @@ -908,9 +909,11 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) switch (prf) { case PRF_HMAC_SHA1: - case PRF_HMAC_MD5: add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); break; + case PRF_HMAC_MD5: + /* no, thanks */ + break; default: break; } @@ -970,6 +973,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* only for testing purposes */ break; case MODP_768_BIT: + case MODP_1024_BIT: + case MODP_1536_BIT: /* weak */ break; case MODP_1024_160: @@ -977,7 +982,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) case MODP_2048_256: /* RFC 5114 primes are of questionable source */ break; - case MODP_1536_BIT: case ECP_224_BIT: case ECP_224_BP: case ECP_192_BIT: @@ -985,7 +989,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* rarely used */ break; case MODP_2048_BIT: - case MODP_1024_BIT: add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); break; default: @@ -1017,14 +1020,11 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: @@ -1033,7 +1033,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; default: diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h index 2bdf3454f..0dc70f4c5 100644 --- a/src/libcharon/config/proposal.h +++ b/src/libcharon/config/proposal.h @@ -82,7 +82,7 @@ struct proposal_t { uint16_t alg, uint16_t key_size); /** - * Get an enumerator over algorithms for a specifc algo type. + * Get an enumerator over algorithms for a specific algo type. * * @param type kind of algorithm * @return enumerator over uint16_t alg, uint16_t key_size diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c index 8e7816b39..44a4d0aa8 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -294,10 +294,7 @@ METHOD(listener_t, ike_state_change_terminate, bool, switch (state) { case IKE_DESTROYING: - if (ike_sa->get_state(ike_sa) == IKE_DELETING) - { /* proper termination */ - this->status = SUCCESS; - } + this->status = SUCCESS; return listener_done(this); default: break; diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h index 834f35d60..e134aac8d 100644 --- a/src/libcharon/encoding/payloads/cert_payload.h +++ b/src/libcharon/encoding/payloads/cert_payload.h @@ -131,7 +131,7 @@ cert_payload_t *cert_payload_create_from_cert(payload_type_t type, /** * Creates an IKEv2 certificate payload with hash and URL encoding. * - * @param hash hash of the DER encoded certificate (get's cloned) + * @param hash hash of the DER encoded certificate (gets cloned) * @param url URL to the certificate * @return cert_payload_t object */ diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index 923135da9..cbf74eb73 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -441,7 +441,7 @@ eap_payload_t *eap_payload_create_nak(uint8_t identifier, eap_type_t type, added_any = TRUE; } else if (reg_vendor) - { /* found vendor specifc method, but this is not an expanded Nak */ + { /* found vendor specific method, but this is not an expanded Nak */ found_vendor = TRUE; } } diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c index 17a0417dc..52b09b663 100644 --- a/src/libcharon/encoding/payloads/nonce_payload.c +++ b/src/libcharon/encoding/payloads/nonce_payload.c @@ -86,7 +86,7 @@ static encoding_rule_t encodings[] = { { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[6]) }, /* Length of the whole nonce payload*/ { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, - /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ + /* some nonce bytes, length is defined in PAYLOAD_LENGTH */ { CHUNK_DATA, offsetof(private_nonce_payload_t, nonce) }, }; diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index e75dc27bb..cb75f1ea7 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -107,7 +107,7 @@ transform_substructure_t *transform_substructure_create(payload_type_t type); * * @param type PLV2_TRANSFORM_SUBSTRUCTURE or PLV1_TRANSFORM_SUBSTRUCTURE * @param type_or_number Type (IKEv2) or number (IKEv1) of transform - * @param id transform id specifc for the transform type + * @param id transform id specific for the transform type * @return transform_substructure_t object */ transform_substructure_t *transform_substructure_create_type(payload_type_t type, diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 6fafeb760..b75304031 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -183,7 +183,7 @@ struct kernel_ipsec_query_policy_t { * Policy information are cached in the interface. This is necessary to do * reference counting. The Linux kernel does not allow the same policy * installed twice, but we need this as CHILD_SA exist multiple times - * when rekeying. Thats why we do reference counting of policies. + * when rekeying. That's why we do reference counting of policies. */ struct kernel_ipsec_t { diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 5a76c8187..62ce323d0 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index 8f5ae6ac7..bba9591ec 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index 682fa15b9..0a5c7ec8d 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in index 61570457e..2e7170472 100644 --- a/src/libcharon/plugins/attr/Makefile.in +++ b/src/libcharon/plugins/attr/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in index 14a144c38..b8b9885f2 100644 --- a/src/libcharon/plugins/attr_sql/Makefile.in +++ b/src/libcharon/plugins/attr_sql/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/bypass_lan/Makefile.in b/src/libcharon/plugins/bypass_lan/Makefile.in index 1c1a4523a..f882f6bc0 100644 --- a/src/libcharon/plugins/bypass_lan/Makefile.in +++ b/src/libcharon/plugins/bypass_lan/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index 0ae0d28d7..cbfb07597 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in index fb432cd67..6f0a2bddf 100644 --- a/src/libcharon/plugins/connmark/Makefile.in +++ b/src/libcharon/plugins/connmark/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/counters/Makefile.am b/src/libcharon/plugins/counters/Makefile.am new file mode 100644 index 000000000..e5bde3f7a --- /dev/null +++ b/src/libcharon/plugins/counters/Makefile.am @@ -0,0 +1,19 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-counters.la +else +plugin_LTLIBRARIES = libstrongswan-counters.la +endif + +libstrongswan_counters_la_SOURCES = \ + counters_plugin.h counters_plugin.c \ + counters_listener.h counters_listener.c \ + counters_query.h + +libstrongswan_counters_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/counters/Makefile.in b/src/libcharon/plugins/counters/Makefile.in new file mode 100644 index 000000000..491ba80b3 --- /dev/null +++ b/src/libcharon/plugins/counters/Makefile.in @@ -0,0 +1,804 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/counters +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_counters_la_LIBADD = +am_libstrongswan_counters_la_OBJECTS = counters_plugin.lo \ + counters_listener.lo +libstrongswan_counters_la_OBJECTS = \ + $(am_libstrongswan_counters_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_counters_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_counters_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_counters_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_counters_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_counters_la_SOURCES) +DIST_SOURCES = $(libstrongswan_counters_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-counters.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-counters.la +libstrongswan_counters_la_SOURCES = \ + counters_plugin.h counters_plugin.c \ + counters_listener.h counters_listener.c \ + counters_query.h + +libstrongswan_counters_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/counters/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/counters/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-counters.la: $(libstrongswan_counters_la_OBJECTS) $(libstrongswan_counters_la_DEPENDENCIES) $(EXTRA_libstrongswan_counters_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_counters_la_LINK) $(am_libstrongswan_counters_la_rpath) $(libstrongswan_counters_la_OBJECTS) $(libstrongswan_counters_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/counters_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/counters_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/counters/counters_listener.c b/src/libcharon/plugins/counters/counters_listener.c new file mode 100644 index 000000000..a32614e8c --- /dev/null +++ b/src/libcharon/plugins/counters/counters_listener.c @@ -0,0 +1,464 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "counters_listener.h" +#include "counters_query.h" + +#include <threading/spinlock.h> +#include <collections/hashtable.h> +#include <collections/array.h> + +typedef struct private_counters_listener_t private_counters_listener_t; +typedef struct private_counters_query_t private_counters_query_t; + +/** + * Query interface + */ +struct private_counters_query_t { + + /** + * Public interface + */ + counters_query_t public; + + /** + * Reference to this + */ + private_counters_listener_t *this; +}; + +/** + * Private data + */ +struct private_counters_listener_t { + + /** + * Public interface + */ + counters_listener_t public; + + /** + * Query interface + */ + private_counters_query_t query; + + /** + * Global counter values + */ + uint64_t counters[COUNTER_MAX]; + + /** + * Counters for specific connection names, char* => entry_t + */ + hashtable_t *conns; + + /** + * Lock for counter values + */ + spinlock_t *lock; +}; + +/** + * Counters for a specific connection name + */ +typedef struct { + /** connection name */ + char *name; + /** counter values for connection */ + uint64_t counters[COUNTER_MAX]; +} entry_t; + +/** + * Destroy named entry + */ +static void destroy_entry(entry_t *this) +{ + free(this->name); + free(this); +} + +/** + * Hashtable hash function + */ +static u_int hash(char *name) +{ + return chunk_hash(chunk_from_str(name)); +} + +/** + * Hashtable equals function + */ +static bool equals(char *a, char *b) +{ + return streq(a, b); +} + +/** + * Get the name of an IKE_SA, but return NULL if it is not known yet + */ +static char *get_ike_sa_name(ike_sa_t *ike_sa) +{ + peer_cfg_t *peer_cfg; + + if (ike_sa) + { + peer_cfg = ike_sa->get_peer_cfg(ike_sa); + if (peer_cfg) + { + return peer_cfg->get_name(peer_cfg); + } + } + return NULL; +} + +/** + * Increase a counter for a named entry + */ +static void count_named(private_counters_listener_t *this, + ike_sa_t *ike_sa, counter_type_t type) +{ + entry_t *entry; + char *name; + + name = get_ike_sa_name(ike_sa); + if (name) + { + entry = this->conns->get(this->conns, name); + if (!entry) + { + INIT(entry, + .name = strdup(name), + ); + this->conns->put(this->conns, entry->name, entry); + } + entry->counters[type]++; + } +} + +METHOD(listener_t, alert, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, + alert_t alert, va_list args) +{ + counter_type_t type; + + switch (alert) + { + case ALERT_INVALID_IKE_SPI: + type = COUNTER_IN_INVALID_IKE_SPI; + break; + case ALERT_PARSE_ERROR_HEADER: + case ALERT_PARSE_ERROR_BODY: + type = COUNTER_IN_INVALID; + break; + default: + return TRUE; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, ike_sa, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_counters_listener_t *this, ike_sa_t *old, ike_sa_t *new) +{ + counter_type_t type; + ike_sa_id_t *id; + + id = new->get_id(new); + if (id->is_initiator(id)) + { + type = COUNTER_INIT_IKE_SA_REKEY; + } + else + { + type = COUNTER_RESP_IKE_SA_REKEY; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, old, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, child_rekey, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new) +{ + this->lock->lock(this->lock); + this->counters[COUNTER_CHILD_SA_REKEY]++; + count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming, bool plain) +{ + counter_type_t type; + bool request; + + if ((incoming && !plain) || (!incoming && !plain)) + { /* handle each message only once */ + return TRUE; + } + + request = message->get_request(message); + switch (message->get_exchange_type(message)) + { + case IKE_SA_INIT: + if (incoming) + { + type = request ? COUNTER_IN_IKE_SA_INIT_REQ + : COUNTER_IN_IKE_SA_INIT_RSP; + } + else + { + type = request ? COUNTER_OUT_IKE_SA_INIT_REQ + : COUNTER_OUT_IKE_SA_INIT_RES; + } + break; + case IKE_AUTH: + if (incoming) + { + type = request ? COUNTER_IN_IKE_AUTH_REQ + : COUNTER_IN_IKE_AUTH_RSP; + } + else + { + type = request ? COUNTER_OUT_IKE_AUTH_REQ + : COUNTER_OUT_IKE_AUTH_RSP; + } + break; + case CREATE_CHILD_SA: + if (incoming) + { + type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ + : COUNTER_IN_CREATE_CHILD_SA_RSP; + } + else + { + type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ + : COUNTER_OUT_CREATE_CHILD_SA_RSP; + } + break; + case INFORMATIONAL: + if (incoming) + { + type = request ? COUNTER_IN_INFORMATIONAL_REQ + : COUNTER_IN_INFORMATIONAL_RSP; + } + else + { + type = request ? COUNTER_OUT_INFORMATIONAL_REQ + : COUNTER_OUT_INFORMATIONAL_RSP; + } + break; + default: + return TRUE; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, ike_sa, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +CALLBACK(free_names, void, + array_t * names) +{ + array_destroy_function(names, (void*)free, NULL); +} + +METHOD(counters_query_t, get_names, enumerator_t*, + private_counters_query_t *query) +{ + private_counters_listener_t *this = query->this; + enumerator_t *enumerator; + array_t *names; + char *name; + + this->lock->lock(this->lock); + names = array_create(0, this->conns->get_count(this->conns)); + enumerator = this->conns->create_enumerator(this->conns); + while (enumerator->enumerate(enumerator, &name, NULL)) + { + array_insert(names, ARRAY_TAIL, strdup(name)); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + array_sort(names, (void*)strcmp, NULL); + + return enumerator_create_cleaner(array_create_enumerator(names), + free_names, names); +} + +METHOD(counters_query_t, get, bool, + private_counters_query_t *query, counter_type_t type, char *name, + uint64_t *value) +{ + private_counters_listener_t *this = query->this; + uint64_t *counters = this->counters; + + this->lock->lock(this->lock); + if (name) + { + entry_t *entry; + + entry = this->conns->get(this->conns, name); + if (!entry) + { + this->lock->unlock(this->lock); + return FALSE; + } + counters = entry->counters; + } + if (value) + { + *value = counters[type]; + } + this->lock->unlock(this->lock); + return TRUE; +} + +METHOD(counters_query_t, get_all, uint64_t*, + private_counters_query_t *query, char *name) +{ + private_counters_listener_t *this = query->this; + entry_t *entry; + uint64_t *result, *counters = this->counters; + counter_type_t i; + + result = calloc(COUNTER_MAX, sizeof(uint64_t)); + + this->lock->lock(this->lock); + if (name) + { + entry = this->conns->get(this->conns, name); + if (!entry) + { + this->lock->unlock(this->lock); + free(result); + return NULL; + } + counters = &entry->counters[0]; + } + for (i = 0; i < countof(this->counters); i++) + { + result[i] = counters[i]; + } + this->lock->unlock(this->lock); + return result; +} + +METHOD(counters_query_t, reset, void, + private_counters_query_t *query, char *name) +{ + private_counters_listener_t *this = query->this; + entry_t *entry = NULL; + + this->lock->lock(this->lock); + if (name) + { + entry = this->conns->remove(this->conns, name); + } + else + { + memset(&this->counters, 0, sizeof(this->counters)); + } + this->lock->unlock(this->lock); + + if (entry) + { + destroy_entry(entry); + } +} + +METHOD(counters_query_t, reset_all, void, + private_counters_query_t *query) +{ + private_counters_listener_t *this = query->this; + hashtable_t *new_conns, *conns; + + new_conns = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 4); + + this->lock->lock(this->lock); + conns = this->conns; + this->conns = new_conns; + this->lock->unlock(this->lock); + + conns->destroy_function(conns, (void*)destroy_entry); +} + +METHOD(counters_listener_t, destroy, void, + private_counters_listener_t *this) +{ + lib->set(lib, "counters", NULL); + + this->conns->destroy_function(this->conns, (void*)destroy_entry); + this->lock->destroy(this->lock); + free(this); +} + +/* + * Described in header + */ +counters_listener_t *counters_listener_create() +{ + private_counters_listener_t *this; + + INIT(this, + .public = { + .listener = { + .alert = _alert, + .ike_rekey = _ike_rekey, + .child_rekey = _child_rekey, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .query = { + .public = { + .get_names = _get_names, + .get = _get, + .get_all = _get_all, + .reset = _reset, + .reset_all = _reset_all, + }, + }, + .conns = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 4), + .lock = spinlock_create(), + ); + this->query.this = this; + + lib->set(lib, "counters", &this->query); + + return &this->public; +} diff --git a/src/libcharon/plugins/counters/counters_listener.h b/src/libcharon/plugins/counters/counters_listener.h new file mode 100644 index 000000000..6d9168f4c --- /dev/null +++ b/src/libcharon/plugins/counters/counters_listener.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters_listener counters_listener + * @{ @ingroup counters + */ + +#ifndef COUNTERS_LISTENER_H_ +#define COUNTERS_LISTENER_H_ + +#include <bus/listeners/listener.h> + +typedef struct counters_listener_t counters_listener_t; + +/** + * Collect counter values for different IKE events. + */ +struct counters_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy a counters_listener_t. + */ + void (*destroy)(counters_listener_t *this); +}; + +/** + * Create a counters_listener_t instance. + */ +counters_listener_t *counters_listener_create(); + +#endif /** COUNTERS_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/counters/counters_plugin.c b/src/libcharon/plugins/counters/counters_plugin.c new file mode 100644 index 000000000..48de92760 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_plugin.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "counters_plugin.h" + +#include <daemon.h> +#include <plugins/plugin_feature.h> + +#include "counters_listener.h" + +typedef struct private_counters_plugin_t private_counters_plugin_t; + +/** + * Private data + */ +struct private_counters_plugin_t { + + /** + * Public interface + */ + counters_plugin_t public; + + /** + * Listener implementation + */ + counters_listener_t *listener; +}; + +METHOD(plugin_t, get_name, char*, + private_counters_plugin_t *this) +{ + return "counters"; +} + +/** + * Register listener + */ +static bool plugin_cb(private_counters_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_counters_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "counters"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_counters_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/* + * Described in header + */ +plugin_t *counters_plugin_create() +{ + private_counters_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .listener = counters_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/counters/counters_plugin.h b/src/libcharon/plugins/counters/counters_plugin.h new file mode 100644 index 000000000..76fe2c236 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_plugin.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters counters + * @ingroup cplugins + * + * @defgroup counters_plugin counters_plugin + * @{ @ingroup counters + */ + +#ifndef COUNTERS_PLUGIN_H_ +#define COUNTERS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct counters_plugin_t counters_plugin_t; + +/** + * Plugin collecting several IKE event counters. + * + * Interested components can query individual counters via the 'counters' + * object registered on lib that implements the counters_query.h interface. + */ +struct counters_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** COUNTERS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/counters/counters_query.h b/src/libcharon/plugins/counters/counters_query.h new file mode 100644 index 000000000..f785a68c8 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_query.h @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters_query counters_query + * @{ @ingroup counters + */ + +#ifndef COUNTERS_QUERY_H_ +#define COUNTERS_QUERY_H_ + +#include <bus/listeners/listener.h> + +typedef struct counters_query_t counters_query_t; +typedef enum counter_type_t counter_type_t; + +enum counter_type_t { + /** initiated IKE_SA rekeyings */ + COUNTER_INIT_IKE_SA_REKEY, + /** responded IKE_SA rekeyings */ + COUNTER_RESP_IKE_SA_REKEY, + /** completed CHILD_SA rekeyings */ + COUNTER_CHILD_SA_REKEY, + /** messages with invalid types, length, or a value out of range */ + COUNTER_IN_INVALID, + /** messages with an invalid IKE SPI */ + COUNTER_IN_INVALID_IKE_SPI, + /** received IKE_SA_INIT requests */ + COUNTER_IN_IKE_SA_INIT_REQ, + /** received IKE_SA_INIT responses */ + COUNTER_IN_IKE_SA_INIT_RSP, + /** sent IKE_SA_INIT requests */ + COUNTER_OUT_IKE_SA_INIT_REQ, + /** sent IKE_SA_INIT responses */ + COUNTER_OUT_IKE_SA_INIT_RES, + /** received IKE_AUTH requests */ + COUNTER_IN_IKE_AUTH_REQ, + /** received IKE_AUTH responses */ + COUNTER_IN_IKE_AUTH_RSP, + /** sent IKE_AUTH requests */ + COUNTER_OUT_IKE_AUTH_REQ, + /** sent IKE_AUTH responses */ + COUNTER_OUT_IKE_AUTH_RSP, + /** received CREATE_CHILD_SA requests */ + COUNTER_IN_CREATE_CHILD_SA_REQ, + /** received CREATE_CHILD_SA responses */ + COUNTER_IN_CREATE_CHILD_SA_RSP, + /** sent CREATE_CHILD_SA requests */ + COUNTER_OUT_CREATE_CHILD_SA_REQ, + /** sent CREATE_CHILD_SA responses */ + COUNTER_OUT_CREATE_CHILD_SA_RSP, + /** received INFORMATIONAL requests */ + COUNTER_IN_INFORMATIONAL_REQ, + /** received INFORMATIONAL responses */ + COUNTER_IN_INFORMATIONAL_RSP, + /** sent INFORMATIONAL requests */ + COUNTER_OUT_INFORMATIONAL_REQ, + /** sent INFORMATIONAL responses */ + COUNTER_OUT_INFORMATIONAL_RSP, + /** number of counter types */ + COUNTER_MAX +}; + +/** + * Query counter values for different IKE events. + */ +struct counters_query_t { + + /** + * Enumerate all connection names for which counters are currently recorded. + * + * @return enumerator over names (char *) + */ + enumerator_t *(*get_names)(counters_query_t *this); + + /** + * Get a current global or connection-specific counter value. + * + * @param type counter to query + * @param name connection name to get counter for, NULL for global + * @param[out] value counter value + * @return TRUE if value found and returned + */ + bool (*get)(counters_query_t *this, counter_type_t type, char *name, + uint64_t *value); + + /** + * Get all global or connection-specific counter values. + * + * @param name connection name to get counters for, NULL for global + * @return array of counters (has to be freed), NULL if named + * connection is not found + */ + uint64_t *(*get_all)(counters_query_t *this, char *name); + + /** + * Reset all global or connection-specific counters. + * + * @param name connection name to reset counters, NULL for global + */ + void (*reset)(counters_query_t *this, char *name); + + /** + * Reset counters for all connections, global counters are unaffected. + */ + void (*reset_all)(counters_query_t *this); +}; + +#endif /** COUNTERS_QUERY_H_ @}*/ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index 06f2592f0..5859a21ee 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index aaca1ec99..f8e2d7398 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index 42f8f1ef9..7541c3b49 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -176,7 +176,7 @@ typedef struct __attribute__((packed)) { char server_hostname[64]; char boot_filename[128]; uint32_t magic_cookie; - char options[252]; + u_char options[252]; } dhcp_t; /** @@ -438,7 +438,7 @@ METHOD(dhcp_socket_t, release, void, DBG1(DBG_CFG, "sending DHCP RELEASE for %H to %H", release, server); chunk = release->get_address(release); - memcpy(&dhcp.client_address, chunk.ptr, + memcpy((char*)&dhcp.client_address, chunk.ptr, min(chunk.len, sizeof(dhcp.client_address))); option = (dhcp_option_t*)&dhcp.options[optlen]; diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in index 0febca96d..d0a4d7fc3 100644 --- a/src/libcharon/plugins/dnscert/Makefile.in +++ b/src/libcharon/plugins/dnscert/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index db4491113..9be0c495b 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 09291aff5..dd66b65b7 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in index 2b73a57ce..2f3d0b83e 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c index 3d0e06146..650af86d9 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c +++ b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c @@ -77,7 +77,7 @@ METHOD(plugin_t, get_name, char*, } /** - * Try to instanciate ea_aka_3gpp functions and card/provider backends + * Try to instantiate ea_aka_3gpp functions and card/provider backends */ static bool register_functions(private_eap_aka_3gpp_t *this, plugin_feature_t *feature, bool reg, void *data) diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index a14afbc55..f5fc3fb48 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c index d7d0d0507..3f9db71c6 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c @@ -55,7 +55,7 @@ METHOD(plugin_t, get_name, char*, } /** - * Try to instanciate 3gpp2 functions and card/provider backends + * Try to instantiate 3gpp2 functions and card/provider backends */ static bool register_functions(private_eap_aka_3gpp2_t *this, plugin_feature_t *feature, bool reg, void *data) diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index e6427106a..494f0a8c5 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 0075513b2..4dc68f94f 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 7481fe377..44f097ef4 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index f26a58550..3c634db82 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index abc3081b8..505d6ea52 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index 8e8597cab..20f2ecab1 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 938243394..f5100fc53 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index a2530e653..fbbf6da83 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -271,37 +272,47 @@ METHOD(eap_method_t, initiate, status_t, } /** - * Handle the Class attribute as group membership information + * Handle the Class attribute */ static void process_class(radius_message_t *msg) { enumerator_t *enumerator; + ike_sa_t *ike_sa; + identification_t *id; + auth_cfg_t *auth; chunk_t data; + bool class_group, class_send; int type; + class_group = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.class_group", FALSE, lib->ns); + class_send = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting_send_class", FALSE, lib->ns); + ike_sa = charon->bus->get_sa(charon->bus); + + if ((!class_group && !class_send) || !ike_sa) + { + return; + } + enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if (type == RAT_CLASS) { - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - - if (data.len >= 44) + if (class_group && data.len < 44) { /* quirk: ignore long class attributes, these are used for * other purposes by some RADIUS servers (such as NPS). */ - continue; - } - - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) - { auth = ike_sa->get_auth_cfg(ike_sa, FALSE); id = identification_create_from_data(data); - DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id); + DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", + id); auth->add(auth, AUTH_RULE_GROUP, id); } + if (class_send) + { + eap_radius_accounting_add_class(ike_sa, data); + } } } enumerator->destroy(enumerator); @@ -631,11 +642,7 @@ static void process_cfg_attributes(radius_message_t *msg) */ void eap_radius_process_attributes(radius_message_t *message) { - if (lib->settings->get_bool(lib->settings, - "%s.plugins.eap-radius.class_group", FALSE, lib->ns)) - { - process_class(message); - } + process_class(message); if (lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.filter_id", FALSE, lib->ns)) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index e1f5be06a..92611492b 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG @@ -160,6 +160,8 @@ typedef struct { ike_sa_id_t *id; /** RADIUS accounting session ID */ char sid[24]; + /** cached Class attributes */ + array_t *class_attrs; /** number of sent/received octets/packets for expired SAs */ usage_t usage; /** list of cached SAs, sa_entry_t (sorted by their unique ID) */ @@ -186,6 +188,7 @@ static void destroy_entry(entry_t *this) { array_destroy_function(this->cached, (void*)free, NULL); array_destroy_function(this->migrated, (void*)free, NULL); + array_destroy_function(this->class_attrs, (void*)chunk_free, NULL); this->id->destroy(this->id); free(this); } @@ -458,6 +461,23 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, } /** + * Add the Class attributes received in the Access-Accept message to the + * RADIUS accounting message + */ +static void add_class_attributes(radius_message_t *message, entry_t *entry) +{ + enumerator_t *enumerator; + chunk_t *cls; + + enumerator = array_create_enumerator(entry->class_attrs); + while (enumerator->enumerate(enumerator, &cls)) + { + message->add(message, RAT_CLASS, *cls); + } + enumerator->destroy(enumerator); +} + +/** * Get an existing or create a new entry from the locked session table */ static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this, @@ -585,6 +605,7 @@ static job_requeue_t send_interim(interim_data_t *data) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); value = htonl(usage.bytes.sent); @@ -704,6 +725,7 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); if (!entry->interim.interval) { @@ -766,6 +788,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); value = htonl(entry->usage.bytes.sent); @@ -1064,3 +1087,24 @@ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval) singleton->mutex->unlock(singleton->mutex); } } + +/* + * Described in header + */ +void eap_radius_accounting_add_class(ike_sa_t *ike_sa, chunk_t cls) +{ + if (singleton) + { + entry_t *entry; + chunk_t clone; + + DBG2(DBG_CFG, "cache RADIUS Class attribute %B", &cls); + singleton->mutex->lock(singleton->mutex); + entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); + clone = chunk_clone(cls); + array_insert_create_value(&entry->class_attrs, sizeof(chunk_t), + ARRAY_TAIL, &clone); + singleton->mutex->unlock(singleton->mutex); + } +}
\ No newline at end of file diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h index f7a19c9b5..dc1edcf54 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -54,4 +57,12 @@ eap_radius_accounting_t *eap_radius_accounting_create(); */ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval); +/** + * Add a Class attribute for the given IKE_SA. + * + * @param ike_sa IKE_SA for which the attribute was received + * @param cls Class attribute value + */ +void eap_radius_accounting_add_class(ike_sa_t *ike_sa, chunk_t cls); + #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index f7b2d3e2d..ae25d21c2 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index a78155080..a02cbbd23 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index 28e7b4612..d9cfda351 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 98d4fe9cc..9f56b01da 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 539dc657e..9e41bf270 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 284178e13..0f6b7e95a 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index 9e69e068c..83726b645 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 6f5d3a466..1047ea0e0 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 5a9310a7d..1a779c60b 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index 7322bc036..7439befbc 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -255,9 +255,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in index 8ab170b6d..d669b5707 100644 --- a/src/libcharon/plugins/ext_auth/Makefile.in +++ b/src/libcharon/plugins/ext_auth/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 4328db1f9..dc07f34c1 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in index 15589b35d..f89ed736d 100644 --- a/src/libcharon/plugins/forecast/Makefile.in +++ b/src/libcharon/plugins/forecast/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index cdf33f61f..455108834 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index adb40765e..b212e2e33 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in index 6164f5c7b..cc4450a95 100644 --- a/src/libcharon/plugins/kernel_iph/Makefile.in +++ b/src/libcharon/plugins/kernel_iph/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in index e604be758..09c03ed33 100644 --- a/src/libcharon/plugins/kernel_libipsec/Makefile.in +++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am index 41c7304c6..0e39c0d24 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.am +++ b/src/libcharon/plugins/kernel_netlink/Makefile.am @@ -25,22 +25,22 @@ libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version -TESTS = tests +TESTS = kernel_netlink_tests check_PROGRAMS = $(TESTS) -tests_SOURCES = \ +kernel_netlink_tests_SOURCES = \ tests.h tests.c \ suites/test_socket.c \ kernel_netlink_shared.c -tests_CFLAGS = \ +kernel_netlink_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +kernel_netlink_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +kernel_netlink_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in index 8d653104e..7ec64084b 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/kernel_netlink/Makefile.in @@ -88,7 +88,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = tests$(EXEEXT) +TESTS = kernel_netlink_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libcharon/plugins/kernel_netlink ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -156,18 +156,20 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ @MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath = -am__EXEEXT_1 = tests$(EXEEXT) +am__EXEEXT_1 = kernel_netlink_tests$(EXEEXT) am__dirstamp = $(am__leading_dot)dirstamp -am_tests_OBJECTS = tests-tests.$(OBJEXT) \ - suites/tests-test_socket.$(OBJEXT) \ - tests-kernel_netlink_shared.$(OBJEXT) -tests_OBJECTS = $(am_tests_OBJECTS) -tests_DEPENDENCIES = \ +am_kernel_netlink_tests_OBJECTS = \ + kernel_netlink_tests-tests.$(OBJEXT) \ + suites/kernel_netlink_tests-test_socket.$(OBJEXT) \ + kernel_netlink_tests-kernel_netlink_shared.$(OBJEXT) +kernel_netlink_tests_OBJECTS = $(am_kernel_netlink_tests_OBJECTS) +kernel_netlink_tests_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la -tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \ - $(tests_LDFLAGS) $(LDFLAGS) -o $@ +kernel_netlink_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(kernel_netlink_tests_CFLAGS) $(CFLAGS) \ + $(kernel_netlink_tests_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -202,9 +204,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) $(tests_SOURCES) +SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \ + $(kernel_netlink_tests_SOURCES) DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \ - $(tests_SOURCES) + $(kernel_netlink_tests_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -286,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -509,19 +514,19 @@ libstrongswan_kernel_netlink_la_SOURCES = \ libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version -tests_SOURCES = \ +kernel_netlink_tests_SOURCES = \ tests.h tests.c \ suites/test_socket.c \ kernel_netlink_shared.c -tests_CFLAGS = \ +kernel_netlink_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +kernel_netlink_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +kernel_netlink_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la @@ -622,12 +627,12 @@ suites/$(am__dirstamp): suites/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) suites/$(DEPDIR) @: > suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) +suites/kernel_netlink_tests-test_socket.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) - @rm -f tests$(EXEEXT) - $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS) +kernel_netlink_tests$(EXEEXT): $(kernel_netlink_tests_OBJECTS) $(kernel_netlink_tests_DEPENDENCIES) $(EXTRA_kernel_netlink_tests_DEPENDENCIES) + @rm -f kernel_netlink_tests$(EXEEXT) + $(AM_V_CCLD)$(kernel_netlink_tests_LINK) $(kernel_netlink_tests_OBJECTS) $(kernel_netlink_tests_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -640,9 +645,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-kernel_netlink_shared.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_socket.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -668,47 +673,47 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< -tests-tests.o: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-tests.o: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-tests.o -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-tests.Tpo -c -o kernel_netlink_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-tests.Tpo $(DEPDIR)/kernel_netlink_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='kernel_netlink_tests-tests.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -tests-tests.obj: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-tests.obj: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-tests.obj -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-tests.Tpo -c -o kernel_netlink_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-tests.Tpo $(DEPDIR)/kernel_netlink_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='kernel_netlink_tests-tests.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -suites/tests-test_socket.o: suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ +suites/kernel_netlink_tests-test_socket.o: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT suites/kernel_netlink_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo -c -o suites/kernel_netlink_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/kernel_netlink_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o suites/kernel_netlink_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c -suites/tests-test_socket.obj: suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ +suites/kernel_netlink_tests-test_socket.obj: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT suites/kernel_netlink_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo -c -o suites/kernel_netlink_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/kernel_netlink_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o suites/kernel_netlink_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` -tests-kernel_netlink_shared.o: kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-kernel_netlink_shared.o: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo -c -o kernel_netlink_tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='kernel_netlink_tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c -tests-kernel_netlink_shared.obj: kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-kernel_netlink_shared.obj: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo -c -o kernel_netlink_tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='kernel_netlink_tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8ddaa71d3..4e79dfced 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -143,7 +143,7 @@ ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING, "XFRM_MSG_MAPPING" ); -ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL, +ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV, "XFRMA_UNSPEC", "XFRMA_ALG_AUTH", "XFRMA_ALG_CRYPT", @@ -168,6 +168,11 @@ ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL, "XFRMA_MARK", "XFRMA_TFCPAD", "XFRMA_REPLAY_ESN_VAL", + "XFRMA_SA_EXTRA_FLAGS", + "XFRMA_PROTO", + "XFRMA_ADDRESS_FILTER", + "XFRMA_PAD", + "XFRMA_OFFLOAD_DEV", ); /** diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index 0dd3e30cb..a21d0ae7f 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1183,13 +1183,13 @@ static void process_link(private_kernel_netlink_net_t *this, INIT(entry, .ifindex = msg->ifi_index, .addrs = linked_list_create(), - .usable = charon->kernel->is_interface_usable( - charon->kernel, name), ); this->ifaces->insert_last(this->ifaces, entry); } strncpy(entry->ifname, name, IFNAMSIZ); entry->ifname[IFNAMSIZ-1] = '\0'; + entry->usable = charon->kernel->is_interface_usable(charon->kernel, + name); if (event && entry->usable) { if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP)) diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 0ef880035..0d3d3775b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index fd1adb2ae..710107889 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1740,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, #ifdef __linux__ sa->sadb_sa_replay = min(data->replay_window, 32); #else - sa->sadb_sa_replay = (data->replay_window + 7) / 8; + sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX); #endif } sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg); @@ -1749,6 +1749,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } PFKEY_EXT_ADD(msg, sa); +#ifdef SADB_X_EXT_SA_REPLAY + if (data->inbound) + { + struct sadb_x_sa_replay *replay; + + replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); + replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY; + replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); + replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32); + PFKEY_EXT_ADD(msg, replay); + } +#endif + sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); @@ -1960,6 +1973,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t, PFKEY_EXT_COPY(msg, response.lft_soft); PFKEY_EXT_COPY(msg, response.lft_hard); +#ifndef __FreeBSD__ + /* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */ if (response.key_encr) { PFKEY_EXT_COPY(msg, response.key_encr); @@ -1969,6 +1984,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, { PFKEY_EXT_COPY(msg, response.key_auth); } +#endif #ifdef HAVE_NATT if (data->new_encap) diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in index 1f232502a..dc4d1c852 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c index da7ae472d..e1f10e93f 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -864,6 +864,11 @@ static void process_link(private_kernel_pfroute_net_t *this, .flags = msg->ifm_flags, .addrs = linked_list_create(), ); +#ifdef __APPLE__ + /* Similar to the issue described above, on 10.13 we need this delay as + * we might otherwise not be able to convert the index to a name yet. */ + usleep(50000); +#endif if (if_indextoname(iface->ifindex, iface->ifname)) { DBG1(DBG_KNL, "interface %s appeared", iface->ifname); diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in index 263ec5d64..98e147717 100644 --- a/src/libcharon/plugins/kernel_wfp/Makefile.in +++ b/src/libcharon/plugins/kernel_wfp/Makefile.in @@ -255,9 +255,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index 54a7ccf44..7abb83daa 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index b25f3a669..42ad9abf3 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -257,9 +257,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index 4db0b7dc2..b8c5d2249 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -253,9 +253,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 721edbdd5..47175b4b9 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 81d895df1..176e2a5cb 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in index e9bd93803..ec1916aba 100644 --- a/src/libcharon/plugins/osx_attr/Makefile.in +++ b/src/libcharon/plugins/osx_attr/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in index 7ccbfb102..9afed4111 100644 --- a/src/libcharon/plugins/p_cscf/Makefile.in +++ b/src/libcharon/plugins/p_cscf/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index 2e4ea256d..ee16cceb8 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in index 0db2cb187..45e2723cc 100644 --- a/src/libcharon/plugins/resolve/Makefile.in +++ b/src/libcharon/plugins/resolve/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 5f3517c25..33484587b 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 54e9ed9b9..05684706e 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 1971282a1..39558dc24 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in index 6efd3e189..bb349c0a3 100644 --- a/src/libcharon/plugins/socket_win/Makefile.in +++ b/src/libcharon/plugins/socket_win/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index e0b813d6b..96733406e 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index 26edc3dcd..9456dd908 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -1,5 +1,6 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 70374b32f..3cf95f9a9 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -454,6 +456,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c index e93fd4ef2..8eb9968e4 100644 --- a/src/libcharon/plugins/stroke/stroke_counter.c +++ b/src/libcharon/plugins/stroke/stroke_counter.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -13,10 +16,11 @@ * for more details. */ +#include <inttypes.h> + #include "stroke_counter.h" -#include <threading/spinlock.h> -#include <collections/hashtable.h> +#include <counters_query.h> ENUM(stroke_counter_type_names, COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP, @@ -56,277 +60,51 @@ struct private_stroke_counter_t { stroke_counter_t public; /** - * Global counter values - */ - uint64_t counter[COUNTER_MAX]; - - /** - * Counters for specific connection names, char* => entry_t - */ - hashtable_t *conns; - - /** - * Lock for counter values + * Reference to query interface */ - spinlock_t *lock; + counters_query_t *query; }; /** - * Counters for a specific connection name - */ -typedef struct { - /** connection name */ - char *name; - /** counter values for connection */ - uint64_t counter[COUNTER_MAX]; -} entry_t; - -/** - * Destroy named entry - */ -static void destroy_entry(entry_t *this) -{ - free(this->name); - free(this); -} - -/** - * Hashtable hash function - */ -static u_int hash(char *name) -{ - return chunk_hash(chunk_from_str(name)); -} - -/** - * Hashtable equals function - */ -static bool equals(char *a, char *b) -{ - return streq(a, b); -} - -/** - * Get the name of an IKE_SA, but return NULL if it is not known yet - */ -static char *get_ike_sa_name(ike_sa_t *ike_sa) -{ - peer_cfg_t *peer_cfg; - - if (ike_sa) - { - peer_cfg = ike_sa->get_peer_cfg(ike_sa); - if (peer_cfg) - { - return peer_cfg->get_name(peer_cfg); - } - } - return NULL; -} - -/** - * Increase a counter for a named entry + * Make sure we have the query interface */ -static void count_named(private_stroke_counter_t *this, - ike_sa_t *ike_sa, stroke_counter_type_t type) +static inline bool ensure_query(private_stroke_counter_t *this) { - entry_t *entry; - char *name; - - name = get_ike_sa_name(ike_sa); - if (name) + if (this->query) { - entry = this->conns->get(this->conns, name); - if (!entry) - { - INIT(entry, - .name = strdup(name), - ); - this->conns->put(this->conns, entry->name, entry); - } - entry->counter[type]++; - } -} - -METHOD(listener_t, alert, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, - alert_t alert, va_list args) -{ - stroke_counter_type_t type; - - switch (alert) - { - case ALERT_INVALID_IKE_SPI: - type = COUNTER_IN_INVALID_IKE_SPI; - break; - case ALERT_PARSE_ERROR_HEADER: - case ALERT_PARSE_ERROR_BODY: - type = COUNTER_IN_INVALID; - break; - default: - return TRUE; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, ike_sa, type); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, ike_rekey, bool, - private_stroke_counter_t *this, ike_sa_t *old, ike_sa_t *new) -{ - stroke_counter_type_t type; - ike_sa_id_t *id; - - id = new->get_id(new); - if (id->is_initiator(id)) - { - type = COUNTER_INIT_IKE_SA_REKEY; - } - else - { - type = COUNTER_RESP_IKE_SA_REKEY; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, old, type); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, child_rekey, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, - child_sa_t *old, child_sa_t *new) -{ - this->lock->lock(this->lock); - this->counter[COUNTER_CHILD_SA_REKEY]++; - count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, message_hook, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, message_t *message, - bool incoming, bool plain) -{ - stroke_counter_type_t type; - bool request; - - if ((incoming && !plain) || (!incoming && !plain)) - { /* handle each message only once */ return TRUE; } - - request = message->get_request(message); - switch (message->get_exchange_type(message)) - { - case IKE_SA_INIT: - if (incoming) - { - type = request ? COUNTER_IN_IKE_SA_INIT_REQ - : COUNTER_IN_IKE_SA_INIT_RSP; - } - else - { - type = request ? COUNTER_OUT_IKE_SA_INIT_REQ - : COUNTER_OUT_IKE_SA_INIT_RES; - } - break; - case IKE_AUTH: - if (incoming) - { - type = request ? COUNTER_IN_IKE_AUTH_REQ - : COUNTER_IN_IKE_AUTH_RSP; - } - else - { - type = request ? COUNTER_OUT_IKE_AUTH_REQ - : COUNTER_OUT_IKE_AUTH_RSP; - } - break; - case CREATE_CHILD_SA: - if (incoming) - { - type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ - : COUNTER_IN_CREATE_CHILD_SA_RSP; - } - else - { - type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ - : COUNTER_OUT_CREATE_CHILD_SA_RSP; - } - break; - case INFORMATIONAL: - if (incoming) - { - type = request ? COUNTER_IN_INFORMATIONAL_REQ - : COUNTER_IN_INFORMATIONAL_RSP; - } - else - { - type = request ? COUNTER_OUT_INFORMATIONAL_REQ - : COUNTER_OUT_INFORMATIONAL_RSP; - } - break; - default: - return TRUE; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, ike_sa, type); - this->lock->unlock(this->lock); - - return TRUE; + return (this->query = lib->get(lib, "counters")) != NULL; } /** - * Print a single counter value to out - */ -static void print_counter(FILE *out, stroke_counter_type_t type, - uint64_t counter) -{ - fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter); -} - -/** - * Print IKE counters for a specific connection + * Print global or connection-specific IKE counters */ static void print_one(private_stroke_counter_t *this, FILE *out, char *name) { - uint64_t counter[COUNTER_MAX]; - entry_t *entry; - int i; + uint64_t *counters; + counter_type_t i; - this->lock->lock(this->lock); - entry = this->conns->get(this->conns, name); - if (entry) + counters = this->query->get_all(this->query, name); + if (!counters) { - for (i = 0; i < countof(this->counter); i++) - { - counter[i] = entry->counter[i]; - } + fprintf(out, "No IKE counters found for '%s'\n", name); + return; } - this->lock->unlock(this->lock); - - if (entry) + if (name) { fprintf(out, "\nList of IKE counters for '%s':\n\n", name); - for (i = 0; i < countof(this->counter); i++) - { - print_counter(out, i, counter[i]); - } } else { - fprintf(out, "No IKE counters found for '%s'\n", name); + fprintf(out, "\nList of IKE counters:\n\n"); + } + for (i = 0; i < COUNTER_MAX; i++) + { + fprintf(out, "%-18N %12"PRIu64"\n", stroke_counter_type_names, i, + counters[i]); } + free(counters); } /** @@ -335,104 +113,44 @@ static void print_one(private_stroke_counter_t *this, FILE *out, char *name) static void print_all(private_stroke_counter_t *this, FILE *out) { enumerator_t *enumerator; - entry_t *entry; - linked_list_t *list; char *name; - list = linked_list_create(); - - this->lock->lock(this->lock); - enumerator = this->conns->create_enumerator(this->conns); - while (enumerator->enumerate(enumerator, &name, &entry)) - { - list->insert_last(list, strdup(name)); - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - enumerator = list->create_enumerator(list); + enumerator = this->query->get_names(this->query); while (enumerator->enumerate(enumerator, &name)) { print_one(this, out, name); } enumerator->destroy(enumerator); - - list->destroy_function(list, free); -} - -/** - * Print global counters - */ -static void print_global(private_stroke_counter_t *this, FILE *out) -{ - uint64_t counter[COUNTER_MAX]; - int i; - - this->lock->lock(this->lock); - for (i = 0; i < countof(this->counter); i++) - { - counter[i] = this->counter[i]; - } - this->lock->unlock(this->lock); - - fprintf(out, "\nList of IKE counters:\n\n"); - - for (i = 0; i < countof(this->counter); i++) - { - print_counter(out, i, counter[i]); - } } METHOD(stroke_counter_t, print, void, private_stroke_counter_t *this, FILE *out, char *name) { - if (name) + if (!ensure_query(this)) + { + fprintf(out, "\nNo counters available (plugin missing?)\n\n"); + return; + } + if (name && streq(name, "all")) { - if (streq(name, "all")) - { - return print_all(this, out); - } - return print_one(this, out, name); + return print_all(this, out); } - return print_global(this, out); + return print_one(this, out, name); } METHOD(stroke_counter_t, reset, void, private_stroke_counter_t *this, char *name) { - this->lock->lock(this->lock); - if (name) - { - entry_t *entry; - - entry = this->conns->remove(this->conns, name); - if (entry) - { - destroy_entry(entry); - } - } - else + if (!ensure_query(this)) { - memset(&this->counter, 0, sizeof(this->counter)); + return; } - this->lock->unlock(this->lock); + this->query->reset(this->query, name); } METHOD(stroke_counter_t, destroy, void, private_stroke_counter_t *this) { - enumerator_t *enumerator; - char *name; - entry_t *entry; - - enumerator = this->conns->create_enumerator(this->conns); - while (enumerator->enumerate(enumerator, &name, &entry)) - { - destroy_entry(entry); - } - enumerator->destroy(enumerator); - this->conns->destroy(this->conns); - this->lock->destroy(this->lock); free(this); } @@ -445,19 +163,10 @@ stroke_counter_t *stroke_counter_create() INIT(this, .public = { - .listener = { - .alert = _alert, - .ike_rekey = _ike_rekey, - .child_rekey = _child_rekey, - .message = _message_hook, - }, .print = _print, .reset = _reset, .destroy = _destroy, }, - .conns = hashtable_create((hashtable_hash_t)hash, - (hashtable_equals_t)equals, 4), - .lock = spinlock_create(), ); return &this->public; diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h index fecf39f56..2ff431c88 100644 --- a/src/libcharon/plugins/stroke/stroke_counter.h +++ b/src/libcharon/plugins/stroke/stroke_counter.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -21,69 +24,16 @@ #ifndef STROKE_COUNTER_H_ #define STROKE_COUNTER_H_ -#include <bus/listeners/listener.h> +#include <library.h> typedef struct stroke_counter_t stroke_counter_t; -typedef enum stroke_counter_type_t stroke_counter_type_t; - -enum stroke_counter_type_t { - /** initiated IKE_SA rekeyings */ - COUNTER_INIT_IKE_SA_REKEY, - /** responded IKE_SA rekeyings */ - COUNTER_RESP_IKE_SA_REKEY, - /** completed CHILD_SA rekeyings */ - COUNTER_CHILD_SA_REKEY, - /** messages with invalid types, length, or a value out of range */ - COUNTER_IN_INVALID, - /** messages with an invalid IKE SPI */ - COUNTER_IN_INVALID_IKE_SPI, - /** received IKE_SA_INIT requests */ - COUNTER_IN_IKE_SA_INIT_REQ, - /** received IKE_SA_INIT responses */ - COUNTER_IN_IKE_SA_INIT_RSP, - /** sent IKE_SA_INIT requests */ - COUNTER_OUT_IKE_SA_INIT_REQ, - /** sent IKE_SA_INIT responses */ - COUNTER_OUT_IKE_SA_INIT_RES, - /** received IKE_AUTH requests */ - COUNTER_IN_IKE_AUTH_REQ, - /** received IKE_AUTH responses */ - COUNTER_IN_IKE_AUTH_RSP, - /** sent IKE_AUTH requests */ - COUNTER_OUT_IKE_AUTH_REQ, - /** sent IKE_AUTH responses */ - COUNTER_OUT_IKE_AUTH_RSP, - /** received CREATE_CHILD_SA requests */ - COUNTER_IN_CREATE_CHILD_SA_REQ, - /** received CREATE_CHILD_SA responses */ - COUNTER_IN_CREATE_CHILD_SA_RSP, - /** sent CREATE_CHILD_SA requests */ - COUNTER_OUT_CREATE_CHILD_SA_REQ, - /** sent CREATE_CHILD_SA responses */ - COUNTER_OUT_CREATE_CHILD_SA_RSP, - /** received INFORMATIONAL requests */ - COUNTER_IN_INFORMATIONAL_REQ, - /** received INFORMATIONAL responses */ - COUNTER_IN_INFORMATIONAL_RSP, - /** sent INFORMATIONAL requests */ - COUNTER_OUT_INFORMATIONAL_REQ, - /** sent INFORMATIONAL responses */ - COUNTER_OUT_INFORMATIONAL_RSP, - /** number of counter types */ - COUNTER_MAX -}; /** - * Collection of counter values for different IKE events. + * Interface for counter values for different IKE events. */ struct stroke_counter_t { /** - * Implements listener_t. - */ - listener_t listener; - - /** * Print counter values to an output stream. * * @param out output stream to write to diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 62095e368..0a34fb458 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -66,6 +66,7 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { PLUGIN_CALLBACK((plugin_feature_callback_t)register_stroke, NULL), PLUGIN_PROVIDE(CUSTOM, "stroke"), + PLUGIN_SDEPEND(CUSTOM, "counters"), PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA), PLUGIN_SDEPEND(PRIVKEY, KEY_DSA), diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 65d345db3..c568440b7 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -744,7 +744,6 @@ METHOD(stroke_socket_t, destroy, void, &this->attribute->provider); charon->attributes->remove_handler(charon->attributes, &this->handler->handler); - charon->bus->remove_listener(charon->bus, &this->counter->listener); this->cred->destroy(this->cred); this->ca->destroy(this->ca); this->config->destroy(this->config); @@ -789,7 +788,7 @@ stroke_socket_t *stroke_socket_create() &this->attribute->provider); charon->attributes->add_handler(charon->attributes, &this->handler->handler); - charon->bus->add_listener(charon->bus, &this->counter->listener); + max_concurrent = lib->settings->get_int(lib->settings, "%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT, diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 278eaa17b..0667d359c 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c index c1594b0b2..3209c91dc 100644 --- a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c +++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2013 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2013-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG @@ -55,6 +55,11 @@ struct private_systime_fix_plugin_t { u_int interval; /** + * How long to wait for a valid system time, 0 to wait indefinitely + */ + time_t timeout; + + /** * Timestamp where we start considering system time valid */ time_t threshold; @@ -118,6 +123,23 @@ static bool has_invalid_certs(ike_sa_t *ike_sa) } /** + * Check if we reached the timeout + */ +static inline bool timeout_reached(private_systime_fix_plugin_t *this) +{ + if (this->timeout == 0) + { /* disabled */ + return FALSE; + } + if (this->timeout <= this->interval) + { + return TRUE; + } + this->timeout -= this->interval; + return FALSE; +} + +/** * Check system time, reevaluate certificates */ static job_requeue_t check_systime(private_systime_fix_plugin_t *this) @@ -129,15 +151,23 @@ static job_requeue_t check_systime(private_systime_fix_plugin_t *this) if (time(NULL) < this->threshold) { - DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval); - lib->scheduler->schedule_job(lib->scheduler, (job_t*) - callback_job_create((callback_job_cb_t)check_systime, this, - NULL, NULL), this->interval); - return JOB_REQUEUE_NONE; + if (!timeout_reached(this)) + { + DBG2(DBG_CFG, "system time not valid, rechecking in %us", + this->interval); + return JOB_RESCHEDULE(this->interval); + } + DBG1(DBG_CFG, "timeout reached while waiting for valid system time, " + "force rechecking certificates"); + /* force regular lifetime checks for new connections */ + lib->credmgr->remove_validator(lib->credmgr, + &this->validator->validator); + } + else + { + DBG1(DBG_CFG, "system time got valid, rechecking certificates"); } - DBG1(DBG_CFG, "system time got valid, rechecking certificates"); - enumerator = charon->ike_sa_manager->create_enumerator( charon->ike_sa_manager, TRUE); while (enumerator->enumerate(enumerator, &ike_sa)) @@ -225,7 +255,7 @@ static bool plugin_cb(private_systime_fix_plugin_t *this, lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); if (this->interval != 0) { - DBG1(DBG_CFG, "starting systime check, interval: %ds", + DBG1(DBG_CFG, "starting system time check, interval: %us", this->interval); lib->scheduler->schedule_job(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t)check_systime, @@ -275,6 +305,8 @@ plugin_t *systime_fix_plugin_create() }, .interval = lib->settings->get_int(lib->settings, "%s.plugins.%s.interval", 0, lib->ns, get_name(this)), + .timeout = lib->settings->get_time(lib->settings, + "%s.plugins.%s.timeout", 0, lib->ns, get_name(this)), .reauth = lib->settings->get_bool(lib->settings, "%s.plugins.%s.reauth", FALSE, lib->ns, get_name(this)), ); diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index 3b146e1ee..dcf2c5858 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index 3452080a8..02587d1f0 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 2c127985c..a01a5f74e 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index b82c37966..fd29de336 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 4c648fbad..0f2a055d2 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index af0b65cd0..e8bcdbaa3 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -2,6 +2,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \ -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -DSWANCTLDIR=\""${swanctldir}\"" \ -DIPSEC_PIDDIR=\"${piddir}\" diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in index cd3dafb08..d28223dca 100644 --- a/src/libcharon/plugins/vici/Makefile.in +++ b/src/libcharon/plugins/vici/Makefile.in @@ -343,9 +343,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -550,6 +552,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \ -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -DSWANCTLDIR=\""${swanctldir}\"" \ -DIPSEC_PIDDIR=\"${piddir}\" diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index f47f80cad..83521250d 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -682,6 +682,35 @@ List currently loaded algorithms and their implementation. } } +### get-counters() ### + +List global or connection-specific counters for several IKE events. + + { + name = <optional connection name, omit for global counters> + all = <yes to get counters for all connections, name is ignored> + } => { + counters = { + <name|empty for global counters> = { + <pairs of counter name and 64-bit counter value> + } + } + success = <yes or no> + errmsg = <error string on failure> + } + +### reset-counters() ### + +Reset global or connection-specific IKE event counters. + + { + name = <optional connection name, omit for global counters> + all = <yes to reset counters for all connections, name is ignored> + } => { + success = <yes or no> + errmsg = <error string on failure> + } + ## Server-issued events ## Based on the packet layer, the vici plugin raises event messages using named diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in index f48eb6abb..59b0774b8 100644 --- a/src/libcharon/plugins/vici/perl/Makefile.in +++ b/src/libcharon/plugins/vici/perl/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in index 7d5944ab1..057ea88f4 100644 --- a/src/libcharon/plugins/vici/python/Makefile.in +++ b/src/libcharon/plugins/vici/python/Makefile.in @@ -183,9 +183,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index b1222765b..ff4e07d2d 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -474,8 +476,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@RUBY_GEMS_INSTALL_FALSE@install-data-local: @RUBY_GEMS_INSTALL_FALSE@uninstall-local: +@RUBY_GEMS_INSTALL_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 0c355e3a0..e0e2955e2 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -495,6 +495,7 @@ static void log_child_data(child_data_t *data, char *name) { child_cfg_create_t *cfg = &data->cfg; +#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); }) DBG2(DBG_CFG, " child %s:", name); DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey); DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life); @@ -506,12 +507,12 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life); DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter); DBG2(DBG_CFG, " updown = %s", cfg->updown); - DBG2(DBG_CFG, " hostaccess = %u", cfg->options & OPT_HOSTACCESS); - DBG2(DBG_CFG, " ipcomp = %u", cfg->options & OPT_IPCOMP); + DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS)); + DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP)); DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode, - cfg->options & OPT_PROXY_MODE ? "_PROXY" : ""); + has_opt(OPT_PROXY_MODE) ? "_PROXY" : ""); DBG2(DBG_CFG, " policies = %u", data->policies); - DBG2(DBG_CFG, " policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES); + DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES)); if (data->replay_window != REPLAY_UNDEFINED) { DBG2(DBG_CFG, " replay_window = %u", data->replay_window); @@ -525,14 +526,15 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " interface = %s", cfg->interface); DBG2(DBG_CFG, " mark_in = %u/%u", cfg->mark_in.value, cfg->mark_in.mask); + DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); DBG2(DBG_CFG, " mark_out = %u/%u", cfg->mark_out.value, cfg->mark_out.mask); DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity); DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); - DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD); - DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96); + DBG2(DBG_CFG, " hw_offload = %u", has_opt(OPT_HW_OFFLOAD)); + DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96)); } /** @@ -882,7 +884,7 @@ CALLBACK(parse_opt_fwd_out, bool, } /** - * Parse OPT_FWD_OUT_POLICIES option + * Parse OPT_IPCOMP option */ CALLBACK(parse_opt_ipcomp, bool, child_cfg_option_t *out, chunk_t v) @@ -909,6 +911,15 @@ CALLBACK(parse_opt_sha256_96, bool, } /** + * Parse OPT_MARK_IN_SA option + */ +CALLBACK(parse_opt_mark_in, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_MARK_IN_SA, v); +} + +/** * Parse an action_t */ CALLBACK(parse_action, bool, @@ -1562,6 +1573,7 @@ CALLBACK(child_kv, bool, { "inactivity", parse_time, &child->cfg.inactivity }, { "reqid", parse_uint32, &child->cfg.reqid }, { "mark_in", parse_mark, &child->cfg.mark_in }, + { "mark_in_sa", parse_opt_mark_in, &child->cfg.options }, { "mark_out", parse_mark, &child->cfg.mark_out }, { "tfc_padding", parse_tfc, &child->cfg.tfc }, { "priority", parse_uint32, &child->cfg.priority }, diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index 136651261..53da75e2a 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -176,6 +176,7 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { PLUGIN_CALLBACK((plugin_feature_callback_t)register_vici, NULL), PLUGIN_PROVIDE(CUSTOM, "vici"), + PLUGIN_SDEPEND(CUSTOM, "counters"), }; *features = f; return countof(f); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 2cc59591f..134ea375d 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2015 Tobias Brunner, Andreas Steffen + * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2014 Martin Willi @@ -55,6 +56,32 @@ #include <asn1/asn1.h> #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> +#include <counters_query.h> + +ENUM(vici_counter_type_names, + COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP, + "ike-rekey-init", + "ike-rekey-resp", + "child-rekey", + "invalid", + "invalid-spi", + "ike-init-in-req", + "ike-init-in-resp", + "ike-init-out-req", + "ike-init-out-resp", + "ike-auth-in-req", + "ike-auth-in-resp", + "ike-auth-out-req", + "ike-auth-out-resp", + "create-child-in-req", + "create-child-in-resp", + "create-child-out-req", + "create-child-out-resp", + "info-in-req", + "info-in-resp", + "info-out-req", + "info-out-resp", +); typedef struct private_vici_query_t private_vici_query_t; @@ -74,6 +101,11 @@ struct private_vici_query_t { vici_dispatcher_t *dispatcher; /** + * Query interface for counters + */ + counters_query_t *counters; + + /** * Daemon startup timestamp */ time_t uptime; @@ -1223,6 +1255,131 @@ CALLBACK(get_algorithms, vici_message_t*, return b->finalize(b); } +/** + * Make sure we have the counters query interface + */ +static inline bool ensure_counters(private_vici_query_t *this) +{ + if (this->counters) + { + return TRUE; + } + return (this->counters = lib->get(lib, "counters")) != NULL; +} + +/** + * Add a single set of counters to the message + * + * Frees the array of counter values + */ +static void add_counters(vici_builder_t *b, char *name, uint64_t *counters) +{ + char buf[BUF_LEN]; + counter_type_t i; + + b->begin_section(b, name ?: ""); + for (i = 0; i < COUNTER_MAX; i++) + { + snprintf(buf, sizeof(buf), "%N", vici_counter_type_names, i); + b->add_kv(b, buf, "%"PRIu64, counters[i]); + } + b->end_section(b); + free(counters); +} + +CALLBACK(get_counters, vici_message_t*, + private_vici_query_t *this, char *name, u_int id, vici_message_t *request) +{ + vici_builder_t *b; + enumerator_t *enumerator; + uint64_t *counters; + char *conn, *errmsg = NULL; + bool all; + + b = vici_builder_create(); + + if (ensure_counters(this)) + { + conn = request->get_str(request, NULL, "name"); + all = request->get_bool(request, FALSE, "all"); + + b->begin_section(b, "counters"); + if (all) + { + enumerator = this->counters->get_names(this->counters); + while (enumerator->enumerate(enumerator, &conn)) + { + counters = this->counters->get_all(this->counters, conn); + if (counters) + { + add_counters(b, conn, counters); + } + } + enumerator->destroy(enumerator); + } + else + { + counters = this->counters->get_all(this->counters, conn); + if (counters) + { + add_counters(b, conn, counters); + } + else + { + errmsg = "no counters found for this connection"; + } + } + b->end_section(b); + } + else + { + errmsg = "no counters available (plugin missing?)"; + } + + b->add_kv(b, "success", errmsg ? "no" : "yes"); + if (errmsg) + { + b->add_kv(b, "errmsg", "%s", errmsg); + } + return b->finalize(b); +} + +CALLBACK(reset_counters, vici_message_t*, + private_vici_query_t *this, char *name, u_int id, vici_message_t *request) +{ + vici_builder_t *b; + char *conn, *errmsg = NULL; + bool all; + + b = vici_builder_create(); + + if (ensure_counters(this)) + { + conn = request->get_str(request, NULL, "name"); + all = request->get_bool(request, FALSE, "all"); + + if (all) + { + this->counters->reset_all(this->counters); + } + else + { + this->counters->reset(this->counters, conn); + } + } + else + { + errmsg = "no counters available (plugin missing?)"; + } + + b->add_kv(b, "success", errmsg ? "no" : "yes"); + if (errmsg) + { + b->add_kv(b, "errmsg", "%s", errmsg); + } + return b->finalize(b); +} + CALLBACK(version, vici_message_t*, private_vici_query_t *this, char *name, u_int id, vici_message_t *request) { @@ -1423,6 +1580,8 @@ static void manage_commands(private_vici_query_t *this, bool reg) manage_command(this, "list-conns", list_conns, reg); manage_command(this, "list-certs", list_certs, reg); manage_command(this, "get-algorithms", get_algorithms, reg); + manage_command(this, "get-counters", get_counters, reg); + manage_command(this, "reset-counters", reset_counters, reg); manage_command(this, "version", version, reg); manage_command(this, "stats", stats, reg); } diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index 50c790af5..ad9a092cc 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index 7d3dc897b..d702a01a6 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index 8b937bb8d..eeeb4190a 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index ff2e6e9ab..87a6c872a 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index 0f320dfeb..a224ffba4 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 4133d9182..91da4d3e6 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -254,7 +254,7 @@ struct private_child_sa_t { }; /** - * convert an IKEv2 specific protocol identifier to the IP protocol identifier. + * Convert an IKEv2 specific protocol identifier to the IP protocol identifier */ static inline uint8_t proto_ike2ip(protocol_id_t protocol) { @@ -269,6 +269,18 @@ static inline uint8_t proto_ike2ip(protocol_id_t protocol) } } +/** + * Returns the mark to use on the inbound SA + */ +static inline mark_t mark_in_sa(private_child_sa_t *this) +{ + if (this->config->has_option(this->config, OPT_MARK_IN_SA)) + { + return this->mark_in; + } + return (mark_t){}; +} + METHOD(child_sa_t, get_name, char*, private_child_sa_t *this) { @@ -525,6 +537,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_query_sa_t query = {}; @@ -857,7 +870,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, .dst = dst, .spi = spi, .proto = proto_ike2ip(this->protocol), - .mark = inbound ? (mark_t){} : this->mark_out, + .mark = inbound ? mark_in_sa(this) : this->mark_out, }; sa = (kernel_ipsec_add_sa_t){ .reqid = this->reqid, @@ -1475,6 +1488,7 @@ METHOD(child_sa_t, update, status_t, .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_update_sa_t sa = { .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, @@ -1660,6 +1674,7 @@ METHOD(child_sa_t, destroy, void, .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_del_sa_t sa = { .cpi = this->my_cpi, diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 045858792..823cf2579 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -914,9 +914,15 @@ METHOD(ike_sa_t, set_state, void, } METHOD(ike_sa_t, reset, void, - private_ike_sa_t *this) + private_ike_sa_t *this, bool new_spi) { - /* the responder ID is reset, as peer may choose another one */ + /* reset the initiator SPI if requested */ + if (new_spi) + { + charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager, + &this->public); + } + /* the responder ID is reset, as peer may choose another one */ if (this->ike_sa_id->is_initiator(this->ike_sa_id)) { this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0); @@ -1849,7 +1855,7 @@ METHOD(ike_sa_t, reauth, status_t, { DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]", get_name(this), this->unique_id); - reset(this); + reset(this, TRUE); return this->task_manager->initiate(this->task_manager); } /* we can't reauthenticate as responder when we use EAP or virtual IPs. @@ -2222,7 +2228,7 @@ static bool redirect_connecting(private_ike_sa_t *this, identification_t *to) { return FALSE; } - reset(this); + reset(this, TRUE); DESTROY_IF(this->redirected_from); this->redirected_from = this->other_host->clone(this->other_host); DESTROY_IF(this->remote_host); @@ -2351,7 +2357,7 @@ METHOD(ike_sa_t, retransmit, status_t, { DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", this->keyingtry + 1, tries); - reset(this); + reset(this, TRUE); resolve_hosts(this); return this->task_manager->initiate(this->task_manager); } diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c8ba2fd2a..fbc367292 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -1014,7 +1014,7 @@ struct ike_sa_t { /** * Rekey the IKE_SA. * - * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. + * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA. * * @return - SUCCESS, if IKE_SA rekeying initiated */ @@ -1169,9 +1169,11 @@ struct ike_sa_t { void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); /** - * Reset the IKE_SA, useable when initiating fails + * Reset the IKE_SA, useable when initiating fails. + * + * @param new_spi TRUE to allocate a new initiator SPI */ - void (*reset) (ike_sa_t *this); + void (*reset) (ike_sa_t *this, bool new_spi); /** * Destroys a ike_sa_t object. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c0bfebb83..101d98678 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,9 +1,10 @@ /* * Copyright (C) 2005-2011 Martin Willi * Copyright (C) 2011 revosec AG - * Copyright (C) 2008-2016 Tobias Brunner + * + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1572,6 +1573,88 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, return ike_sa; } +METHOD(ike_sa_manager_t, new_initiator_spi, bool, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +{ + ike_sa_state_t state; + ike_sa_id_t *ike_sa_id; + entry_t *entry; + u_int segment; + uint64_t new_spi, spi; + + state = ike_sa->get_state(ike_sa); + if (state != IKE_CONNECTING) + { + DBG1(DBG_MGR, "unable to change initiator SPI for IKE_SA in state " + "%N", ike_sa_state_names, state); + return FALSE; + } + + ike_sa_id = ike_sa->get_id(ike_sa); + if (!ike_sa_id->is_initiator(ike_sa_id)) + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA as responder"); + return FALSE; + } + + if (ike_sa != charon->bus->get_sa(charon->bus)) + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA not checked " + "out by current thread"); + return FALSE; + } + + new_spi = get_spi(this); + if (!new_spi) + { + DBG1(DBG_MGR, "unable to allocate new initiator SPI for IKE_SA"); + return FALSE; + } + + if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) + { + if (entry->driveout_waiting_threads && entry->driveout_new_threads) + { /* it looks like flush() has been called and the SA is being deleted + * anyway, no need for a new SPI */ + DBG2(DBG_MGR, "ignored change of initiator SPI during shutdown"); + unlock_single_segment(this, segment); + return FALSE; + } + /* threads waiting for this entry do so using the (soon) wrong IKE_SA + * ID and, therefore, likely on the wrong segment, so drive them out */ + entry->driveout_waiting_threads = TRUE; + entry->driveout_new_threads = TRUE; + while (entry->waiting_threads) + { + entry->condvar->broadcast(entry->condvar); + entry->condvar->wait(entry->condvar, this->segments[segment].mutex); + } + remove_entry(this, entry); + unlock_single_segment(this, segment); + } + else + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA, not found"); + return FALSE; + } + + spi = ike_sa_id->get_initiator_spi(ike_sa_id); + + DBG2(DBG_MGR, "change initiator SPI of IKE_SA %s[%u] from %.16"PRIx64" to " + "%.16"PRIx64, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), + be64toh(spi), be64toh(new_spi)); + + ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); + entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa_id); + + entry->driveout_waiting_threads = FALSE; + entry->driveout_new_threads = FALSE; + + segment = put_entry(this, entry); + unlock_single_segment(this, segment); + return TRUE; +} + CALLBACK(enumerator_filter_wait, bool, private_ike_sa_manager_t *this, enumerator_t *orig, va_list args) { @@ -2277,6 +2360,7 @@ ike_sa_manager_t *ike_sa_manager_create() .checkout_by_config = _checkout_by_config, .checkout_by_id = _checkout_by_id, .checkout_by_name = _checkout_by_name, + .new_initiator_spi = _new_initiator_spi, .check_uniqueness = _check_uniqueness, .has_contact = _has_contact, .create_enumerator = _create_enumerator, diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index 4298c54e2..efad2e4d6 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -109,6 +109,17 @@ struct ike_sa_manager_t { peer_cfg_t *peer_cfg); /** + * Reset initiator SPI. + * + * Allocate a new initiator SPI for the given IKE_SA in state IKE_CONNECTING + * and update internal data. + * + * @param ike_sa IKE_SA to update + * @return TRUE if SPI successfully changed + */ + bool (*new_initiator_spi)(ike_sa_manager_t* this, ike_sa_t *ike_sa); + + /** * Check for duplicates of the given IKE_SA. * * Measures are taken according to the uniqueness policy of the IKE_SA. diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 344c1bf5d..41be15a08 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -110,7 +110,7 @@ METHOD(authenticator_t, build, status_t, } free(dh.ptr); - if (private->sign(private, scheme, hash, &sig)) + if (private->sign(private, scheme, NULL, hash, &sig)) { sig_payload = hash_payload_create(PLV1_SIGNATURE); sig_payload->set_hash(sig_payload, sig); @@ -176,7 +176,7 @@ METHOD(authenticator_t, process, status_t, id, auth, TRUE); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, hash, sig)) + if (public->verify(public, scheme, NULL, hash, sig)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, signature_scheme_names, scheme); diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c index c9f737ccd..2a6e5c04f 100644 --- a/src/libcharon/sa/ikev1/iv_manager.c +++ b/src/libcharon/sa/ikev1/iv_manager.c @@ -15,6 +15,7 @@ #include "iv_manager.h" +#include <library.h> #include <collections/linked_list.h> /** diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 628ea0de8..4c16adba3 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -221,8 +221,7 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); if (idr && !idr->contains_wildcards(idr)) { - if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && - this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) + if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) { host = this->ike_sa->get_other_host(this->ike_sa); if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 19ea72d0b..65baf8771 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -61,10 +61,9 @@ struct private_pubkey_authenticator_t { * Parse authentication data used for Signature Authentication as per RFC 7427 */ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, - signature_scheme_t *scheme) + signature_params_t *params) { uint8_t len; - int oid; if (!auth_data->len) { @@ -72,14 +71,11 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, } len = auth_data->ptr[0]; *auth_data = chunk_skip(*auth_data, 1); - /* we currently don't support schemes that require parameters */ - oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL); - *scheme = signature_scheme_from_oid(oid); - if (*scheme == SIGN_UNKNOWN) + if (!signature_params_parse(*auth_data, 1, params)) { return FALSE; } - *key_type = key_type_from_signature_scheme(*scheme); + *key_type = key_type_from_signature_scheme(params->scheme); *auth_data = chunk_skip(*auth_data, len); return TRUE; } @@ -88,18 +84,16 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, * Build authentication data used for Signature Authentication as per RFC 7427 */ static bool build_signature_auth_data(chunk_t *auth_data, - signature_scheme_t scheme) + signature_params_t *params) { chunk_t data; uint8_t len; - int oid; - oid = signature_scheme_to_oid(scheme); - if (oid == OID_UNKNOWN) + if (!signature_params_build(params, &data)) { + chunk_free(auth_data); return FALSE; } - data = asn1_algorithmIdentifier(oid); len = data.len; *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data); return TRUE; @@ -114,13 +108,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, { enumerator_t *enumerator; signature_scheme_t scheme; - uintptr_t config; + signature_params_t *config; auth_rule_t rule; key_type_t key_type; bool have_config = FALSE; array_t *selected; - selected = array_create(sizeof(signature_scheme_t), 0); + selected = array_create(0, 0); key_type = private->get_type(private); enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &config)) @@ -130,12 +124,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, continue; } have_config = TRUE; - if (key_type == key_type_from_signature_scheme(config) && + if (key_type == key_type_from_signature_scheme(config->scheme) && keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(config))) + hasher_from_signature_scheme(config->scheme, + config->params))) { - scheme = config; - array_insert(selected, ARRAY_TAIL, &scheme); + array_insert(selected, ARRAY_TAIL, signature_params_clone(config)); } } enumerator->destroy(enumerator); @@ -146,24 +140,30 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, * and supported by the other peer */ enumerator = signature_schemes_for_key(key_type, private->get_keysize(private)); - while (enumerator->enumerate(enumerator, &scheme)) + while (enumerator->enumerate(enumerator, &config)) { + if (config->scheme == SIGN_RSA_EMSA_PSS && + !lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns)) + { + continue; + } if (keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(scheme))) + hasher_from_signature_scheme(config->scheme, + config->params))) { - array_insert(selected, ARRAY_TAIL, &scheme); + array_insert(selected, ARRAY_TAIL, + signature_params_clone(config)); } } enumerator->destroy(enumerator); - /* for RSA we tried at least SHA-512, also try other schemes down to - * what we'd use with classic authentication */ + /* for RSA we tried at least SHA-512, also try other schemes */ if (key_type == KEY_RSA) { signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_256, - SIGN_RSA_EMSA_PKCS1_SHA1, }, contained; bool found; int i, j; @@ -182,9 +182,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, } } if (!found && keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(scheme))) + hasher_from_signature_scheme(scheme, + NULL))) { - array_insert(selected, ARRAY_TAIL, &scheme); + INIT(config, + .scheme = scheme, + ) + array_insert(selected, ARRAY_TAIL, config); } } } @@ -192,6 +196,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, return selected; } +CALLBACK(destroy_scheme, void, + signature_params_t *params, int idx, void *user) +{ + signature_params_destroy(params); +} + /** * Create a signature using RFC 7427 signature authentication */ @@ -201,7 +211,7 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, { enumerator_t *enumerator; keymat_v2_t *keymat; - signature_scheme_t scheme = SIGN_UNKNOWN, *schemep; + signature_params_t *params = NULL; array_t *schemes; chunk_t octets = chunk_empty; status_t status = FAILED; @@ -221,11 +231,11 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, schemes)) { enumerator = array_create_enumerator(schemes); - while (enumerator->enumerate(enumerator, &schemep)) + while (enumerator->enumerate(enumerator, ¶ms)) { - scheme = *schemep; - if (private->sign(private, scheme, octets, auth_data) && - build_signature_auth_data(auth_data, scheme)) + if (private->sign(private, params->scheme, params->params, octets, + auth_data) && + build_signature_auth_data(auth_data, params)) { status = SUCCESS; break; @@ -233,16 +243,34 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, else { DBG2(DBG_IKE, "unable to create %N signature for %N key", - signature_scheme_names, scheme, key_type_names, + signature_scheme_names, params->scheme, key_type_names, private->get_type(private)); } } enumerator->destroy(enumerator); } - DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, - signature_scheme_names, scheme, - status == SUCCESS ? "successful" : "failed"); - array_destroy(schemes); + if (params) + { + if (params->scheme == SIGN_RSA_EMSA_PSS) + { + rsa_pss_params_t *pss = params->params; + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id, + signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash, + status == SUCCESS ? "successful" : "failed"); + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, + signature_scheme_names, params->scheme, + status == SUCCESS ? "successful" : "failed"); + } + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id); + } + array_destroy_function(schemes, destroy_scheme, NULL); chunk_free(&octets); return status; } @@ -253,23 +281,27 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, */ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, bool verify, identification_t *id, - chunk_t *octets, signature_scheme_t *scheme) + chunk_t *octets, signature_params_t **scheme) { keymat_v2_t *keymat; array_t *schemes; bool success = FALSE; - schemes = array_create(sizeof(signature_scheme_t), 0); - array_insert(schemes, ARRAY_TAIL, scheme); + schemes = array_create(0, 0); + array_insert(schemes, ARRAY_TAIL, *scheme); keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce, id, this->reserved, octets, schemes) && - array_get(schemes, 0, &scheme)) + array_remove(schemes, 0, scheme)) { success = TRUE; } - array_destroy(schemes); + else + { + *scheme = NULL; + } + array_destroy_function(schemes, destroy_scheme, NULL); return success; } @@ -282,6 +314,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, chunk_t *auth_data) { signature_scheme_t scheme; + signature_params_t *params; chunk_t octets = chunk_empty; status_t status = FAILED; @@ -319,11 +352,18 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, return FAILED; } - if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) && - private->sign(private, scheme, octets, auth_data)) + INIT(params, + .scheme = scheme, + ); + if (get_auth_octets_scheme(this, FALSE, id, &octets, ¶ms) && + private->sign(private, params->scheme, NULL, octets, auth_data)) { status = SUCCESS; } + if (params) + { + signature_params_destroy(params); + } DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, auth_method_names, *auth_method, status == SUCCESS ? "successful" : "failed"); @@ -385,7 +425,7 @@ METHOD(authenticator_t, process, status_t, auth_cfg_t *auth, *current_auth; enumerator_t *enumerator; key_type_t key_type = KEY_ECDSA; - signature_scheme_t scheme; + signature_params_t *params; status_t status = NOT_FOUND; const char *reason = "unsupported"; bool online; @@ -395,25 +435,26 @@ METHOD(authenticator_t, process, status_t, { return FAILED; } + INIT(params); auth_method = auth_payload->get_auth_method(auth_payload); auth_data = auth_payload->get_data(auth_payload); switch (auth_method) { case AUTH_RSA: key_type = KEY_RSA; - scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1; break; case AUTH_ECDSA_256: - scheme = SIGN_ECDSA_256; + params->scheme = SIGN_ECDSA_256; break; case AUTH_ECDSA_384: - scheme = SIGN_ECDSA_384; + params->scheme = SIGN_ECDSA_384; break; case AUTH_ECDSA_521: - scheme = SIGN_ECDSA_521; + params->scheme = SIGN_ECDSA_521; break; case AUTH_DS: - if (parse_signature_auth_data(&auth_data, &key_type, &scheme)) + if (parse_signature_auth_data(&auth_data, &key_type, params)) { break; } @@ -422,10 +463,11 @@ METHOD(authenticator_t, process, status_t, default: DBG1(DBG_IKE, "%N authentication %s", auth_method_names, auth_method, reason); + signature_params_destroy(params); return INVALID_ARG; } id = this->ike_sa->get_other_id(this->ike_sa); - if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme)) + if (!get_auth_octets_scheme(this, TRUE, id, &octets, ¶ms)) { return FAILED; } @@ -436,15 +478,31 @@ METHOD(authenticator_t, process, status_t, key_type, id, auth, online); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, octets, auth_data)) + if (public->verify(public, params->scheme, params->params, octets, + auth_data)) { - DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, - auth_method == AUTH_DS ? signature_scheme_names : auth_method_names, - auth_method == AUTH_DS ? scheme : auth_method); + if (auth_method != AUTH_DS) + { + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, + auth_method_names, auth_method); + } + else if (params->scheme == SIGN_RSA_EMSA_PSS) + { + rsa_pss_params_t *pss = params->params; + DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful", + id, signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash); + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, + signature_scheme_names, params->scheme); + } status = SUCCESS; auth->merge(auth, current_auth, FALSE); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); - auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme); + auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, + signature_params_clone(params)); if (!online) { auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE); @@ -459,6 +517,7 @@ METHOD(authenticator_t, process, status_t, } enumerator->destroy(enumerator); chunk_free(&octets); + signature_params_destroy(params); if (status == NOT_FOUND) { DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 36bf149fe..084ed40f0 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -101,8 +101,9 @@ struct keymat_v2_t { * @param id identity * @param reserved reserved bytes of id_payload * @param octests chunk receiving allocated auth octets - * @param schemes array containing signature schemes in case they - * need to be modified by the keymat implementation + * @param schemes array containing signature schemes + * (signature_params_t*) in case they need to be + * modified by the keymat implementation * @return TRUE if octets created successfully */ bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index c2ddbc588..361eb0fe1 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -131,7 +131,7 @@ struct private_task_manager_t { array_t *queued_tasks; /** - * Array of active tasks, initiated by ourselve + * Array of active tasks, initiated by ourselves */ array_t *active_tasks; @@ -1780,9 +1780,11 @@ static void trigger_mbb_reauth(private_task_manager_t *this) enumerator_t *enumerator; child_sa_t *child_sa; child_cfg_t *cfg; + peer_cfg_t *peer; ike_sa_t *new; host_t *host; queued_task_t *queued; + bool children = FALSE; new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, this->ike_sa->get_version(this->ike_sa), TRUE); @@ -1791,7 +1793,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this) return; } - new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa)); + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + new->set_peer_cfg(new, peer); host = this->ike_sa->get_other_host(this->ike_sa); new->set_other_host(new, host->clone(host)); host = this->ike_sa->get_my_host(this->ike_sa); @@ -1809,6 +1812,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this) cfg = child_sa->get_config(child_sa); new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), FALSE, NULL, NULL)->task); + children = TRUE; } enumerator->destroy(enumerator); @@ -1821,10 +1825,24 @@ static void trigger_mbb_reauth(private_task_manager_t *this) new->queue_task(new, queued->task); array_remove_at(this->queued_tasks, enumerator); free(queued); + children = TRUE; } } enumerator->destroy(enumerator); + if (!children +#ifdef ME + /* allow reauth of mediation connections without CHILD_SAs */ + && !peer->is_mediation(peer) +#endif /* ME */ + ) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); + DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " + "to recreate"); + return; + } + /* suspend online revocation checking until the SA is established */ new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index cac3bc0a2..4d4d72e0b 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1377,7 +1377,6 @@ METHOD(task_t, build_r, status_t, uint16_t group = htons(this->dh_group); message->add_notify(message, FALSE, INVALID_KE_PAYLOAD, chunk_from_thing(group)); - handle_child_sa_failure(this, message); return SUCCESS; } case FAILED: diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 2217295b6..164f8fc03 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -349,7 +349,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_sa->get_unique_id(child_sa)), delay); continue; } - else if (expire) + else if (now < expire) { /* let it expire naturally */ continue; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 53daaf2ad..aeaa701c9 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -471,7 +471,6 @@ METHOD(task_t, build_i, status_t, if (idr && !idr->contains_wildcards(idr) && message->get_message_id(message) == 1 && - this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) { host_t *host; diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 58b710616..d75d21715 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -158,7 +158,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this, peer_cfg_t *peer; auth_cfg_t *auth; auth_rule_t rule; - uintptr_t config; + signature_params_t *config; int written; size_t len = BUF_LEN; char buf[len]; @@ -177,7 +177,8 @@ static void send_supported_hash_algorithms(private_ike_init_t *this, { if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME) { - hash = hasher_from_signature_scheme(config); + hash = hasher_from_signature_scheme(config->scheme, + config->params); if (hasher_algorithm_for_ikev2(hash)) { algos->add(algos, hash); @@ -502,7 +503,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message) this->dh = this->keymat->keymat.create_dh( &this->keymat->keymat, this->dh_group); } - if (this->dh) + else if (this->dh) + { + this->dh_failed = this->dh->get_dh_group(this->dh) != this->dh_group; + } + if (this->dh && !this->dh_failed) { this->dh_failed = !this->dh->set_other_public_value(this->dh, ke_payload->get_key_exchange_data(ke_payload)); @@ -811,7 +816,7 @@ METHOD(task_t, process_i, status_t, if (this->old_sa == NULL) { /* reset the IKE_SA if we are not rekeying */ - this->ike_sa->reset(this->ike_sa); + this->ike_sa->reset(this->ike_sa, FALSE); } enumerator->destroy(enumerator); @@ -829,7 +834,7 @@ METHOD(task_t, process_i, status_t, { chunk_free(&this->cookie); this->cookie = chunk_clone(notify->get_notification_data(notify)); - this->ike_sa->reset(this->ike_sa); + this->ike_sa->reset(this->ike_sa, FALSE); enumerator->destroy(enumerator); DBG2(DBG_IKE, "received %N notify", notify_type_names, type); this->retry++; diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index e85b276e8..f72fbc437 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -97,6 +97,8 @@ static vid_data_t vids[] = { "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"}, { "Cisco Delete Reason", 0, NULL, 0, "CISCO-DELETE-REASON" }, + { "Cisco FlexVPN Supported", 0, NULL, 0, + "FLEXVPN-SUPPORTED" }, { "Cisco Copyright (c) 2009", 0, NULL, 0, "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." }, { "FRAGMENTATION", 0, NULL, 16, diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index ad12f0579..3a254cea5 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -96,6 +96,7 @@ static bool install_shunt_policy(child_cfg_t *child) status_t status = SUCCESS; uint32_t manual_prio; char *interface; + bool fwd_out; ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) @@ -122,6 +123,7 @@ static bool install_shunt_policy(child_cfg_t *child) manual_prio = child->get_manual_prio(child); interface = child->get_interface(child); + fwd_out = child->has_option(child, OPT_FWD_OUT_POLICIES); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -157,9 +159,11 @@ static bool install_shunt_policy(child_cfg_t *child) .sa = &sa, }; status |= charon->kernel->add_policy(charon->kernel, &id, &policy); - /* install "outbound" forward policy */ - id.dir = POLICY_FWD; - status |= charon->kernel->add_policy(charon->kernel, &id, &policy); + if (fwd_out) + { /* install "outbound" forward policy */ + id.dir = POLICY_FWD; + status |= charon->kernel->add_policy(charon->kernel, &id, &policy); + } /* install in policy */ id = (kernel_ipsec_policy_id_t){ .dir = POLICY_IN, @@ -255,6 +259,7 @@ static void uninstall_shunt_policy(child_cfg_t *child) status_t status = SUCCESS; uint32_t manual_prio; char *interface; + bool fwd_out; ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) @@ -281,6 +286,7 @@ static void uninstall_shunt_policy(child_cfg_t *child) manual_prio = child->get_manual_prio(child); interface = child->get_interface(child); + fwd_out = child->has_option(child, OPT_FWD_OUT_POLICIES); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -316,9 +322,12 @@ static void uninstall_shunt_policy(child_cfg_t *child) .sa = &sa, }; status |= charon->kernel->del_policy(charon->kernel, &id, &policy); - /* uninstall "outbound" forward policy */ - id.dir = POLICY_FWD; - status |= charon->kernel->del_policy(charon->kernel, &id, &policy); + if (fwd_out) + { + /* uninstall "outbound" forward policy */ + id.dir = POLICY_FWD; + status |= charon->kernel->del_policy(charon->kernel, &id, &policy); + } /* uninstall in policy */ id = (kernel_ipsec_policy_id_t){ .dir = POLICY_IN, diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 8a2775bc0..66d2431c9 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -269,9 +269,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index d147b27d8..604899b5a 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c index 66a2ee514..4b422f077 100644 --- a/src/libfast/fast_dispatcher.c +++ b/src/libfast/fast_dispatcher.c @@ -136,7 +136,7 @@ typedef struct { } session_entry_t; /** - * create a session and instanciate controllers + * create a session and instantiate controllers */ static fast_session_t* load_session(private_fast_dispatcher_t *this) { diff --git a/src/libfast/fast_dispatcher.h b/src/libfast/fast_dispatcher.h index 6546385c6..21708a744 100644 --- a/src/libfast/fast_dispatcher.h +++ b/src/libfast/fast_dispatcher.h @@ -25,11 +25,11 @@ * The application has a global context and a session context. The global * context is accessed from all sessions simultaneously and therefore * needs to be threadsave. Often a database wrapper is the global context. - * The session context is instanciated per session. Sessions are managed + * The session context is instantiated per session. Sessions are managed * automatically through session cookies. The session context is kept alive * until the session times out. It must implement the context_t interface and * a #fast_context_constructor_t is needed to create instances. To each session, - * a set of controllers gets instanciated. The controller instances are per + * a set of controllers gets instantiated. The controller instances are per * session, so you can hold private data for each user. * Controllers need to implement the controller_t interface and need a * #fast_controller_constructor_t function to create instances. @@ -72,7 +72,7 @@ typedef struct fast_dispatcher_t fast_dispatcher_t; * * The dispatcher creates a session for each client (using SID cookies). In * each session, a session context is created using the context constructor. - * Each controller is instanciated in the session using the controller + * Each controller is instantiated in the session using the controller * constructor added with add_controller. */ struct fast_dispatcher_t { @@ -102,7 +102,7 @@ struct fast_dispatcher_t { /** * Start with dispatching. * - * Instanciate a constant thread pool and start dispatching requests. + * Instantiate a constant thread pool and start dispatching requests. * * @param threads number of dispatching threads */ diff --git a/src/libfast/fast_session.h b/src/libfast/fast_session.h index 2ff450b93..3fca3673e 100644 --- a/src/libfast/fast_session.h +++ b/src/libfast/fast_session.h @@ -28,7 +28,7 @@ typedef struct fast_session_t fast_session_t; /** - * Session handling class, instanciated for each user session. + * Session handling class, instantiated for each user session. */ struct fast_session_t { diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk index 4df3dcb64..9f3172074 100644 --- a/src/libimcv/Android.mk +++ b/src/libimcv/Android.mk @@ -79,6 +79,8 @@ libimcv_la_SOURCES := \ swid/swid_inventory.h swid/swid_inventory.c \ swid/swid_tag.h swid/swid_tag.c \ swid/swid_tag_id.h swid/swid_tag_id.c \ + swid_gen/swid_gen.h swid_gen/swid_gen.c \ + swid_gen/swid_gen_info.h swid_gen/swid_gen_info.c \ swima/swima_data_model.h swima/swima_data_model.c \ swima/swima_record.h swima/swima_record.c \ swima/swima_event.h swima/swima_event.c \ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 246ffe29d..ef2c9c35b 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -440,9 +440,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c index 9e3e83d4d..44e0ef24f 100644 --- a/src/libimcv/ietf/ietf_attr.c +++ b/src/libimcv/ietf/ietf_attr.c @@ -47,10 +47,10 @@ ENUM_BEGIN(ietf_attr_names, IETF_ATTR_TESTING, "Forwarding Enabled", "Factory Default Password Enabled", ); -ENUM_NEXT(ietf_attr_names, IETF_ATTR_SW_REQUEST, +ENUM_NEXT(ietf_attr_names, IETF_ATTR_SWIMA_REQUEST, IETF_ATTR_SRC_METADATA_RESP, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED, - "SW Request", + "SWIMA Request", "SW Identifier Inventory", "SW Identifier Events", "SW Inventory", @@ -97,7 +97,7 @@ pa_tnc_attr_t* ietf_attr_create_from_data(uint32_t type, size_t length, case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: return generic_attr_bool_create_from_data(length, value, pen_type_create(PEN_IETF, type)); - case IETF_ATTR_SW_REQUEST: + case IETF_ATTR_SWIMA_REQUEST: return ietf_swima_attr_req_create_from_data(length, value); case IETF_ATTR_SW_ID_INVENTORY: return ietf_swima_attr_sw_inv_create_from_data(length, value, TRUE); diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h index d2ea98201..cbf4a49a2 100644 --- a/src/libimcv/ietf/ietf_attr.h +++ b/src/libimcv/ietf/ietf_attr.h @@ -48,7 +48,7 @@ enum ietf_attr_t { IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED = 12, /* draft-ietf-sacm-nea-swid-patnc */ - IETF_ATTR_SW_REQUEST = 17, + IETF_ATTR_SWIMA_REQUEST = 17, IETF_ATTR_SW_ID_INVENTORY = 18, IETF_ATTR_SW_ID_EVENTS = 19, IETF_ATTR_SW_INVENTORY = 20, diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index 966c095e2..75f279298 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -27,16 +27,16 @@ ENUM_BEGIN(pa_tnc_error_code_names, PA_ERROR_RESERVED, "Version Not Supported", "Attribute Type Not Supported" ); -ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SW, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE, +ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SWIMA, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE, PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, - "SW Error", - "SW Subscription Denied", - "SW Response Too Large", - "SW Subscription Fulfillment Error", - "SW Subscription ID Reuse" + "SWIMA Error", + "SWIMA Subscription Denied", + "SWIMA Response Too Large", + "SWIMA Subscription Fulfillment Error", + "SWIMA Subscription ID Reuse" ); -ENUM_END(pa_tnc_error_code_names, PA_ERROR_SW_SUBSCRIPTION_ID_REUSE); +ENUM_END(pa_tnc_error_code_names, PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE); typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t; diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index 7dbc33828..dd0be72ff 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -33,18 +33,18 @@ typedef enum pa_tnc_error_code_t pa_tnc_error_code_t; enum pa_tnc_error_code_t { /* RFC 5792 PA-TNC */ - PA_ERROR_RESERVED = 0, - PA_ERROR_INVALID_PARAMETER = 1, - PA_ERROR_VERSION_NOT_SUPPORTED = 2, - PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, - PA_ERROR_PA_TNC_MSG_ROOF = 3, + PA_ERROR_RESERVED = 0, + PA_ERROR_INVALID_PARAMETER = 1, + PA_ERROR_VERSION_NOT_SUPPORTED = 2, + PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, + PA_ERROR_PA_TNC_MSG_ROOF = 3, /* draft-ietf-sacm-nea-swid-patnc (SWIMA) */ - PA_ERROR_SW = 32, - PA_ERROR_SW_SUBSCRIPTION_DENIED = 33, - PA_ERROR_SW_RESPONSE_TOO_LARGE = 34, - PA_ERROR_SW_SUBSCRIPTION_FULFILLMENT = 35, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE = 36 + PA_ERROR_SWIMA = 32, + PA_ERROR_SWIMA_SUBSCRIPTION_DENIED = 33, + PA_ERROR_SWIMA_RESPONSE_TOO_LARGE = 34, + PA_ERROR_SWIMA_SUBSCRIPTION_FULFILLMENT = 35, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE = 36 }; /** diff --git a/src/libimcv/ietf/swima/ietf_swima_attr_req.c b/src/libimcv/ietf/swima/ietf_swima_attr_req.c index 07d0b0c5f..d67497373 100644 --- a/src/libimcv/ietf/swima/ietf_swima_attr_req.c +++ b/src/libimcv/ietf/swima/ietf_swima_attr_req.c @@ -274,7 +274,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create(uint8_t flags, uint32_t request_id) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .flags = flags & SW_REQ_RESERVED_MASK, .request_id = request_id, .targets = swima_inventory_create(), @@ -309,7 +309,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create_from_data(size_t length, chunk_t data) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .length = length, .value = chunk_clone(data), .targets = swima_inventory_create(), diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index a872499d2..40a0f5eeb 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -484,30 +484,66 @@ INSERT INTO products ( /* 81 */ 'Android 6.0.1' ); -INSERT INTO products ( /* 82 */ +INSERT INTO products ( /* 82 */ name ) VALUES ( 'Debian 8.5 i686' ); -INSERT INTO products ( /* 83 */ +INSERT INTO products ( /* 83 */ name ) VALUES ( 'Debian 8.5 x86_64' ); -INSERT INTO products ( /* 84 */ +INSERT INTO products ( /* 84 */ name ) VALUES ( 'Debian 8.6 i686' ); -INSERT INTO products ( /* 85 */ +INSERT INTO products ( /* 85 */ name ) VALUES ( 'Debian 8.6 x86_64' ); +INSERT INTO products ( /* 86 */ + name +) VALUES ( + 'Debian 8.7 i686' +); + +INSERT INTO products ( /* 87 */ + name +) VALUES ( + 'Debian 8.7 x86_64' +); + +INSERT INTO products ( /* 88 */ + name +) VALUES ( + 'Debian 8.8 i686' +); + +INSERT INTO products ( /* 89 */ + name +) VALUES ( + 'Debian 8.8 x86_64' +); + +INSERT INTO products ( /* 90 */ + name +) VALUES ( + 'Debian 8.9 i686' +); + +INSERT INTO products ( /* 91 */ + name +) VALUES ( + 'Debian 8.9 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -1039,6 +1075,36 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 4, 82 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 84 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 86 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 88 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 90 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 5, 2 ); @@ -1129,6 +1195,24 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 5, 87 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 89 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 91 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 6, 9 ); diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index e96faa77e..bb0b3b75b 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -685,9 +685,9 @@ METHOD(imv_agent_t, create_language_enumerator, enumerator_t*, ); if (!this->get_attribute || - !this->get_attribute(this->id, state->get_connection_id(state), + this->get_attribute(this->id, state->get_connection_id(state), TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN, - e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS || + e->lang_buf, &e->lang_len) != TNC_RESULT_SUCCESS || e->lang_len >= BUF_LEN) { e->lang_len = 0; diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index 8bde8898f..b50c6ed12 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -253,24 +253,30 @@ CREATE INDEX "swid_entityroles_entity_id" ON "swid_entityroles" ( DROP TABLE IF EXISTS "swid_tags"; CREATE TABLE "swid_tags" ( "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "version_id" INTEGER REFERENCES "versions" ("id"), "package_name" VARCHAR(255) NOT NULL, - "version" VARCHAR(255) NOT NULL, + "version_str" VARCHAR(255) NOT NULL, "unique_id" VARCHAR(255) NOT NULL, "swid_xml" TEXT NOT NULL, "software_id" VARCHAR(255) NOT NULL ); +DROP INDEX IF EXISTS "swid_tags_software_id"; DROP INDEX if EXISTS "swid_tags_unique_id"; +DROP INDEX IF EXISTS "swid_tags_version"; DROP INDEX IF EXISTS "swid_tags_package_name"; -DROP INDEX IF EXISTS "swid_tags_software_id"; + +CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( + "software_id" +); CREATE INDEX "swid_tags_unique_id" ON "swid_tags" ( "unique_id" ); +CREATE INDEX "swid_tags_version_id" ON "swid_tags" ( + "version_id" +); CREATE INDEX "swid_tags_package_name" ON "swid_tags" ( "package_name" ); -CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( - "software_id" -); DROP TABLE IF EXISTS "swid_tags_files"; CREATE TABLE "swid_tags_files" ( diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in index 1600d4d2f..bc079ff12 100644 --- a/src/libimcv/plugins/imc_attestation/Makefile.in +++ b/src/libimcv/plugins/imc_attestation/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in index b12499d82..1b71b26d0 100644 --- a/src/libimcv/plugins/imc_hcd/Makefile.in +++ b/src/libimcv/plugins/imc_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 14c6e02a0..e62c04bea 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index 664ffdff6..a054a475b 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in index b6a77dda4..f58935f2e 100644 --- a/src/libimcv/plugins/imc_swid/Makefile.in +++ b/src/libimcv/plugins/imc_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag index 644c0989c..f10740d60 100644 --- a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag +++ b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-0" - version="5.6.0" versionScheme="alphanumeric" + tagId="strongSwan-5-6-1" + version="5.6.1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/plugins/imc_swima/Makefile.in b/src/libimcv/plugins/imc_swima/Makefile.in index ae1d024af..ed2191921 100644 --- a/src/libimcv/plugins/imc_swima/Makefile.in +++ b/src/libimcv/plugins/imc_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swima/imc_swima.c b/src/libimcv/plugins/imc_swima/imc_swima.c index e120cf7fc..67080e050 100644 --- a/src/libimcv/plugins/imc_swima/imc_swima.c +++ b/src/libimcv/plugins/imc_swima/imc_swima.c @@ -35,7 +35,7 @@ static const char imc_name[] = "SWIMA"; static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; static imc_agent_t *imc_swima; @@ -180,7 +180,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s events, " "fallback to SW%s inventory", id_str, id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); msg->add_attribute(msg, attr); } else { @@ -207,7 +207,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s inventory", id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); } else { @@ -258,7 +258,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) type = attr->get_type(attr); - if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SW_REQUEST) + if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SWIMA_REQUEST) { continue; } @@ -270,7 +270,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) if (flags & (IETF_SWIMA_ATTR_REQ_FLAG_S | IETF_SWIMA_ATTR_REQ_FLAG_C)) { - attr = swima_error_create(PA_ERROR_SW_SUBSCRIPTION_DENIED, + attr = swima_error_create(PA_ERROR_SWIMA_SUBSCRIPTION_DENIED, request_id, 0, "no subscription available yet"); out_msg->add_attribute(out_msg, attr); break; diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag index 644c0989c..f10740d60 100644 --- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag +++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-0" - version="5.6.0" versionScheme="alphanumeric" + tagId="strongSwan-5-6-1" + version="5.6.1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index a002f0baf..fc6d2f6fb 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in index 3872b9a57..f9eb9d6ed 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.in +++ b/src/libimcv/plugins/imv_attestation/Makefile.in @@ -256,9 +256,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index b1ee16bf8..60a9edc0f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -318,15 +318,24 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, enumerator_t *e; char *filename; chunk_t measurement; + int vid; + + if (!pts_db->get_product_version(pts_db, + pts->get_platform_id(pts), &vid)) + { + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + break; + } e = measurements->create_enumerator(measurements); while (e->enumerate(e, &filename, &measurement)) { - if (pts_db->add_file_measurement(pts_db, - pts->get_platform_id(pts), algo, measurement, - filename, is_dir, arg_int) != SUCCESS) + if (!pts_db->add_file_measurement(pts_db, vid, algo, + measurement, filename, is_dir, arg_int)) { eval = TNC_IMV_EVALUATION_RESULT_ERROR; + e->destroy(e); + break; } } e->destroy(e); diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in index fda666b06..99bf6d916 100644 --- a/src/libimcv/plugins/imv_hcd/Makefile.in +++ b/src/libimcv/plugins/imv_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am index f5bc9010c..50a87d877 100644 --- a/src/libimcv/plugins/imv_os/Makefile.am +++ b/src/libimcv/plugins/imv_os/Makefile.am @@ -18,12 +18,3 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined - -if !USE_WINDOWS -ipsec_PROGRAMS = pacman -pacman_SOURCES = pacman.c -pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -pacman.o : $(top_builddir)/config.status - -EXTRA_DIST = pacman.sh -endif diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index a8d80b3f8..d5a6f07f1 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -14,7 +14,6 @@ @SET_MAKE@ - VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -89,7 +88,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@USE_WINDOWS_FALSE@ipsec_PROGRAMS = pacman$(EXEEXT) subdir = src/libimcv/plugins/imv_os ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -136,7 +134,7 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" +am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -150,11 +148,6 @@ am__v_lt_1 = imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(ipsec_PROGRAMS) -am__pacman_SOURCES_DIST = pacman.c -@USE_WINDOWS_FALSE@am_pacman_OBJECTS = pacman.$(OBJEXT) -pacman_OBJECTS = $(am_pacman_OBJECTS) -@USE_WINDOWS_FALSE@pacman_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -189,8 +182,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES) -DIST_SOURCES = $(imv_os_la_SOURCES) $(am__pacman_SOURCES_DIST) +SOURCES = $(imv_os_la_SOURCES) +DIST_SOURCES = $(imv_os_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -250,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -472,9 +467,6 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined -@USE_WINDOWS_FALSE@pacman_SOURCES = pacman.c -@USE_WINDOWS_FALSE@pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -@USE_WINDOWS_FALSE@EXTRA_DIST = pacman.sh all: all-am .SUFFIXES: @@ -546,59 +538,6 @@ clean-imcvLTLIBRARIES: imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) $(AM_V_CCLD)$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS) -install-ipsecPROGRAMS: $(ipsec_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-ipsecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files - -clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) - @rm -f pacman$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -610,7 +549,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -726,9 +664,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) installdirs: - for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \ + for dir in "$(DESTDIR)$(imcvdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -763,8 +701,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \ - clean-libtool mostlyclean-am +clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \ + mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -784,7 +722,7 @@ info: info-am info-am: -install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS +install-data-am: install-imcvLTLIBRARIES install-dvi: install-dvi-am @@ -830,29 +768,27 @@ ps: ps-am ps-am: -uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS +uninstall-am: uninstall-imcvLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ + clean-imcvLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ install-imcvLTLIBRARIES install-info install-info-am \ - install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-imcvLTLIBRARIES \ - uninstall-ipsecPROGRAMS + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-imcvLTLIBRARIES .PRECIOUS: Makefile -@USE_WINDOWS_FALSE@pacman.o : $(top_builddir)/config.status # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index 4bf6c7e21..3fa3d0965 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -705,8 +705,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR : TNC_IMV_EVALUATION_RESULT_COMPLIANT; snprintf(result_str, BUF_LEN, "processed %d packages: " - "%d not updated, %d blacklisted, %d ok, " - "%d unknown", + "%d vulnerable, %d blacklisted, %d ok, %d unknown", count, count_update, count_blacklist, count_ok, count - count_update - count_blacklist - count_ok); break; diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index 31b889b74..049c844bc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -51,7 +51,7 @@ METHOD(imv_os_database_t, check_packages, status_t, char *product, *package, *release, *cur_release; chunk_t name, version; int pid, gid, security, blacklist; - int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; + int count = 0, count_ok = 0, count_security = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; bool found, match; @@ -103,11 +103,8 @@ METHOD(imv_os_database_t, check_packages, status_t, if (!e->enumerate(e, &gid)) { /* package not present in database for any product - skip */ - if (os_type == OS_TYPE_ANDROID) - { - DBG2(DBG_IMV, "package '%s' (%.*s) not found", - package, version.len, version.ptr); - } + DBG2(DBG_IMV, "package '%s' (%.*s) not found", + package, version.len, version.ptr); free(package); e->destroy(e); continue; @@ -148,36 +145,41 @@ METHOD(imv_os_database_t, check_packages, status_t, { if (blacklist) { - DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", + DBG1(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; os_state->add_bad_package(os_state, package, OS_PACKAGE_STATE_BLACKLIST); } + else if (security) + { + DBG1(DBG_IMV, "package '%s' (%s) is vulnerable", + package, release); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_SECURITY); + count_security++; + } else { - DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release, - security ? " [s]" : ""); + DBG2(DBG_IMV, "package '%s' (%s) is ok", + package, release); count_ok++; } } else { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); - count_no_match++; - os_state->add_bad_package(os_state, package, - OS_PACKAGE_STATE_SECURITY); } } else { - /* package not present in database for this product - skip */ + DBG2(DBG_IMV, "package '%s' (%s) unknown", package, release); } free(package); free(release); } - os_state->set_count(os_state, count, count_no_match, - count_blacklist, count_ok); + os_state->set_count(os_state, count, count_security, count_blacklist, + count_ok); return status; } diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c index ac826a77c..af5daf0fc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.c +++ b/src/libimcv/plugins/imv_os/imv_os_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -121,9 +121,9 @@ struct private_imv_os_state_t { int count; /** - * Number of not updated packages + * Number of vulnerable packages */ - int count_update; + int count_security; /** * Number of blacklisted packages @@ -372,7 +372,7 @@ METHOD(imv_state_t, get_reason_string, bool, private_imv_os_state_t *this, enumerator_t *language_enumerator, chunk_t *reason_string, char **reason_language) { - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -383,7 +383,7 @@ METHOD(imv_state_t, get_reason_string, bool, DESTROY_IF(this->reason_string); this->reason_string = imv_reason_string_create(*reason_language, "\n"); - if (this->count_update || this->count_blacklist) + if (this->count_security || this->count_blacklist) { this->reason_string->add_reason(this->reason_string, reason_packages); } @@ -403,7 +403,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, imv_os_info_t *os_info; bool as_xml = FALSE; - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -430,7 +430,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, } /* List of packages in need of an update, if any */ - if (this->count_update) + if (this->count_security) { this->remediation_string->add_instruction(this->remediation_string, instr_update_packages_title, @@ -492,26 +492,26 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t, METHOD(imv_os_state_t, set_count, void, - private_imv_os_state_t *this, int count, int count_update, + private_imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok) { this->count += count; - this->count_update += count_update; + this->count_security += count_security; this->count_blacklist += count_blacklist; this->count_ok += count_ok; } METHOD(imv_os_state_t, get_count, void, - private_imv_os_state_t *this, int *count, int *count_update, + private_imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok) { if (count) { *count = this->count; } - if (count_update) + if (count_security) { - *count_update = this->count_update; + *count_security = this->count_security; } if (count_blacklist) { diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index aa9b64076..d73a47412 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -81,22 +81,22 @@ struct imv_os_state_t { * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*set_count)(imv_os_state_t *this, int count, int count_update, + void (*set_count)(imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok); /** * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*get_count)(imv_os_state_t *this, int *count, int *count_update, + void (*get_count)(imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok); /** diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c deleted file mode 100644 index fbcab5eba..000000000 --- a/src/libimcv/plugins/imv_os/pacman.c +++ /dev/null @@ -1,499 +0,0 @@ -/* - * Copyright (C) 2012 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE -#include <getopt.h> -#include <unistd.h> -#include <stdio.h> -#include <string.h> -#include <errno.h> -#include <syslog.h> -#include <time.h> -#include <sys/stat.h> - -#include "imv_os_state.h" - -#include <library.h> -#include <utils/debug.h> - -typedef enum pacman_state_t pacman_state_t; - -enum pacman_state_t { - PACMAN_STATE_BEGIN_PACKAGE, - PACMAN_STATE_VERSION, - PACMAN_STATE_END_PACKAGE -}; - -typedef struct stats_t stats_t; - -struct stats_t { - time_t release; - int product; - int packages; - int new_packages; - int new_versions; - int updated_versions; - int deleted_versions; -}; - -/** - * global debug output variables - */ -static int debug_level = 1; -static bool stderr_quiet = TRUE; - -/** - * pacman dbg function - */ -static void pacman_dbg(debug_t group, level_t level, char *fmt, ...) -{ - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -} - -/** - * atexit handler to close everything on shutdown - */ -static void cleanup(void) -{ - closelog(); - library_deinit(); -} - -static void usage(void) -{ - printf("Parses package information files from Debian/Ubuntu repositories and\n"); - printf("stores the extracted information in the database used by the OS IMV.\n\n"); - printf("ipsec pacman --product <name> --file <filename> [--security]\n\n"); - printf(" --help print usage information\n"); - printf(" --product <name> name of the Debian/Ubuntu release, as stored in the DB\n"); - printf(" --file <filename> package information file to parse\n"); - printf(" --security set this when parsing a file with security updates\n"); - printf("\n"); -} - -/** - * Update the package database - */ -static bool update_database(database_t *db, char *package, char *version, - bool security, stats_t *stats) -{ - char *cur_version, *version_update = NULL, *version_delete = NULL; - int cur_security, security_update = 0, security_delete = 0; - int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0; - u_int cur_time; - bool add_version = TRUE; - enumerator_t *e; - - /* increment package count */ - stats->packages++; - - /* check if package is already in database */ - e = db->query(db, "SELECT id FROM packages WHERE name = ?", - DB_TEXT, package, DB_INT); - if (!e) - { - return FALSE; - } - if (!e->enumerate(e, &pac_id)) - { - pac_id = 0; - } - e->destroy(e); - - if (!pac_id && security) - { - if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)", - DB_TEXT, package) != 1) - { - fprintf(stderr, "could not store package '%s' to database\n", - package); - return FALSE; - } - stats->new_packages++; - } - - /* check for package versions already in database */ - e = db->query(db, - "SELECT id, release, security, time FROM versions " - "WHERE package = ? AND product = ?", DB_INT, pac_id, - DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT); - if (!e) - { - return FALSE; - } - - while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time)) - { - if (streq(version, cur_version)) - { - /* already in data base */ - add_version = FALSE; - break; - } - else if (stats->release >= cur_time) - { - if (security) - { - if (cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - else - { - vid_delete = vid; - version_delete = strdup(cur_version); - security_delete = cur_security; - } - } - else - { - if (!cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - } - } - else - { - if (security == cur_security) - { - add_version = FALSE; - } - } - } - e->destroy(e); - - if ((!vid && !security) || (vid && !add_version)) - { - free(version_update); - free(version_delete); - return TRUE; - } - - if ((!vid && security) || (vid && !vid_update)) - { - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, &vid, - "INSERT INTO versions " - "(package, product, release, security, time) " - "VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product, - DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1) - { - fprintf(stderr, "could not store version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->new_versions++; - } - else - { - printf("%s (%s) %s updated by\n", - package, version_update, security_update ? "[s]" : ""); - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, NULL, - "UPDATE versions SET release = ?, time = ? WHERE id = ?", - DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0) - { - fprintf(stderr, "could not update version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->updated_versions++; - } - - if (vid_delete) - { - printf("%s (%s) %s deleted\n", - package, version_delete, security_delete ? "[s]" : ""); - if (db->execute(db, NULL, - "DELETE FROM versions WHERE id = ?", - DB_INT, vid_delete) <= 0) - { - fprintf(stderr, "could not delete version '%s' from database\n", - version_delete); - free(version_update); - free(version_delete); - return FALSE; - } - stats->deleted_versions++; - } - free(version_update); - free(version_delete); - - return TRUE; -} - -/** - * Process a package file and store updates in the database - */ -static void process_packages(char *filename, char *product, bool security) -{ - char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL; - pacman_state_t pacman_state; - enumerator_t *e; - database_t *db; - int pid; - FILE *file; - stats_t stats; - bool success; - - /* initialize statistics */ - memset(&stats, 0x00, sizeof(stats_t)); - - /* Set release date to current time */ - stats.release = time(NULL); - - /* opening package file */ - printf("loading\"%s\"\n", filename); - file = fopen(filename, "r"); - if (!file) - { - fprintf(stderr, "could not open \"%s\"\n", filename); - exit(EXIT_FAILURE); - } - - /* connect package database */ - uri = lib->settings->get_str(lib->settings, "pacman.database", NULL); - if (!uri) - { - fprintf(stderr, "database URI pacman.database not set\n"); - fclose(file); - exit(EXIT_FAILURE); - } - db = lib->db->create(lib->db, uri); - if (!db) - { - fprintf(stderr, "could not connect to database '%s'\n", uri); - fclose(file); - exit(EXIT_FAILURE); - } - - /* check if product is already in database */ - e = db->query(db, "SELECT id FROM products WHERE name = ?", - DB_TEXT, product, DB_INT); - if (e) - { - if (e->enumerate(e, &pid)) - { - stats.product = pid; - } - e->destroy(e); - } - if (!stats.product) - { - if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", - DB_TEXT, product) != 1) - { - fprintf(stderr, "could not store product '%s' to database\n", - product); - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - stats.product = pid; - } - - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - - while (fgets(line, sizeof(line), file)) - { - /* set read pointer to beginning of line */ - pos = line; - - switch (pacman_state) - { - case PACMAN_STATE_BEGIN_PACKAGE: - pos = strstr(pos, "Package: "); - if (!pos) - { - continue; - } - pos += 9; - package = pos; - pos = strchr(pos, '\n'); - if (pos) - { - package = strndup(package, pos - package); - pacman_state = PACMAN_STATE_VERSION; - } - break; - case PACMAN_STATE_VERSION: - pos = strstr(pos, "Version: "); - if (!pos) - { - continue; - } - pos += 9; - version = pos; - pos = strchr(pos, '\n'); - if (pos) - { - version = strndup(version, pos - version); - pacman_state = PACMAN_STATE_END_PACKAGE; - } - break; - case PACMAN_STATE_END_PACKAGE: - if (*pos != '\n') - { - continue; - } - success = update_database(db, package, version, security, &stats); - free(package); - free(version); - if (!success) - { - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - } - } - switch (pacman_state) - { - case PACMAN_STATE_END_PACKAGE: - free(version); - /* fall-through */ - case PACMAN_STATE_VERSION: - free(package); - break; - default: - break; - } - fclose(file); - db->destroy(db); - - printf("processed %d packages, %d new packages, %d new versions, " - "%d updated versions, %d deleted versions\n", - stats.packages, stats.new_packages, stats.new_versions, - stats.updated_versions, stats.deleted_versions); -} - -static void do_args(int argc, char *argv[]) -{ - char *filename = NULL, *product = NULL; - bool security = FALSE; - - /* reinit getopt state */ - optind = 0; - - while (TRUE) - { - int c; - - struct option long_opts[] = { - { "help", no_argument, NULL, 'h' }, - { "file", required_argument, NULL, 'f' }, - { "product", required_argument, NULL, 'p' }, - { "security", no_argument, NULL, 's' }, - { 0,0,0,0 } - }; - - c = getopt_long(argc, argv, "", long_opts, NULL); - switch (c) - { - case EOF: - break; - case 'h': - usage(); - exit(EXIT_SUCCESS); - case 'f': - filename = optarg; - continue; - case 'p': - product = optarg; - continue; - case 's': - security = TRUE; - continue; - } - break; - } - - if (filename && product) - { - process_packages(filename, product, security); - } - else - { - usage(); - exit(EXIT_FAILURE); - } -} - -int main(int argc, char *argv[]) -{ - /* enable attest debugging hook */ - dbg = pacman_dbg; - openlog("pacman", 0, LOG_DEBUG); - - atexit(cleanup); - - /* initialize library */ - if (!library_init(NULL, "pacman")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "pacman.load", "sqlite"))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - do_args(argc, argv); - - exit(EXIT_SUCCESS); -} - diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh deleted file mode 100755 index fcf35b644..000000000 --- a/src/libimcv/plugins/imv_os/pacman.sh +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh - -DIR="/etc/pts" -DATE=`date +%Y%m%d-%H%M` -UBUNTU="http://security.ubuntu.com/ubuntu/dists" -UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid" -UBUNTU_DIRS="main multiverse restricted universe" -UBUNTU_ARCH="binary-amd64 binary-i386" -DEBIAN="http://security.debian.org/dists" -DEBIAN_VERSIONS="jessie wheezy squeeze" -DEBIAN_DIRS="main contrib non-free" -DEBIAN_ARCH="binary-amd64 binary-i386" -PACMAN=/usr/libexec/ipsec/pacman -PACMAN_LOG="$DIR/$DATE-pacman.log" - -mkdir -p $DIR/dists -cd $DIR/dists - -for v in $UBUNTU_VERSIONS -do - for a in $UBUNTU_ARCH - do - mkdir -p $v-security/$a $v-updates/$a - for d in $UBUNTU_DIRS - do - wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2 - bunzip2 -f $v-security/$a/Packages-$d.bz2 - wget $UBUNTU/$v-updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for v in $DEBIAN_VERSIONS -do - for a in $DEBIAN_ARCH - do - mkdir -p $v-updates/$a - for d in $DEBIAN_DIRS - do - wget $DEBIAN/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for f in trusty-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in trusty-security/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in saucy-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in saucy-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in raring-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in raring-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in quantal-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in quantal-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in precise-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in precise-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in lucid-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in lucid-security/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in jessie-updates/binary-amd64/* -do - $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in jessie-updates/binary-i386/* -do - $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in wheezy-updates/binary-amd64/* -do - $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in wheezy-updates/binary-i386/* -do - $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in squeeze-updates/binary-amd64/* -do - $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in squeeze-updates/binary-i386/* -do - $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG -done - -cp $DIR/config.db $DIR/config.db-$DATE diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index b851f84e7..2649f499d 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in index c745b4597..faccb683e 100644 --- a/src/libimcv/plugins/imv_swid/Makefile.in +++ b/src/libimcv/plugins/imv_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/Makefile.in b/src/libimcv/plugins/imv_swima/Makefile.in index 56eafa5ad..e2132b576 100644 --- a/src/libimcv/plugins/imv_swima/Makefile.in +++ b/src/libimcv/plugins/imv_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/imv_swima_agent.c b/src/libimcv/plugins/imv_swima/imv_swima_agent.c index efa2b1105..1d9944200 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_agent.c +++ b/src/libimcv/plugins/imv_swima/imv_swima_agent.c @@ -44,7 +44,7 @@ typedef struct private_imv_swima_agent_t private_imv_swima_agent_t; /* Subscribed PA-TNC message subtypes */ static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; /** @@ -175,7 +175,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, reader->destroy(reader); continue; } - if (error_code.type == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (error_code.type == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { if (!reader->read_uint32(reader, &max_attr_size)) { diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 8a6b9ed15..b583a32c2 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c index d771d07ed..09ffd7160 100644 --- a/src/libimcv/pts/pts.c +++ b/src/libimcv/pts/pts.c @@ -762,7 +762,7 @@ METHOD(pts_t, verify_quote_signature, bool, return FALSE; } - if (!aik_pubkey->verify(aik_pubkey, scheme, digest, signature)) + if (!aik_pubkey->verify(aik_pubkey, scheme, NULL, digest, signature)) { DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); DESTROY_IF(aik_pubkey); diff --git a/src/libimcv/pts/pts_database.c b/src/libimcv/pts/pts_database.c index 4a47b06f0..8b99d689b 100644 --- a/src/libimcv/pts/pts_database.c +++ b/src/libimcv/pts/pts_database.c @@ -121,15 +121,69 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*, return e; } -METHOD(pts_database_t, add_file_measurement, status_t, - private_pts_database_t *this, int pid, pts_meas_algorithms_t algo, + +METHOD(pts_database_t, get_product_version, bool, + private_pts_database_t *this, int pid, int *vid) +{ + enumerator_t *e; + int pkg_id; + + /* does empty package name already exist? */ + e = this->db->query(this->db, + "SELECT id FROM packages WHERE name = ''", DB_INT); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, &pkg_id)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, &pkg_id, + "INSERT INTO packages (name) VALUES ('')") != 1) + { + DBG1(DBG_PTS, "could not insert package into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + /* does generic product version already exist? */ + e = this->db->query(this->db, + "SELECT id FROM versions WHERE product = ? AND package = ?", + DB_INT, pid, DB_INT, pkg_id); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, vid)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, vid, + "INSERT INTO versions (product, package) VALUES (?, ?)", + DB_INT, pid, DB_INT, pkg_id) != 1) + { + DBG1(DBG_PTS, "could not insert version into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + return TRUE; +} + +METHOD(pts_database_t, add_file_measurement, bool, + private_pts_database_t *this, int vid, pts_meas_algorithms_t algo, chunk_t measurement, char *filename, bool is_dir, int id) { enumerator_t *e; char *name; - chunk_t hash_value; + uint8_t hash_buf[HASH_SIZE_SHA512]; + uint8_t hex_meas_buf[2*HASH_SIZE_SHA512+1], *hex_hash_buf; + chunk_t hash, hex_hash, hex_meas; int hash_id, fid; - status_t status = SUCCESS; + bool success = TRUE; if (is_dir) { @@ -139,7 +193,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id, DB_INT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &fid)) { @@ -149,7 +203,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id) != 1) { DBG1(DBG_PTS, "could not insert filename into database"); - status = FAILED; + success = FALSE; } } e->destroy(e); @@ -163,58 +217,63 @@ METHOD(pts_database_t, add_file_measurement, status_t, "SELECT name FROM files WHERE id = ?", DB_INT, fid, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &name) || !streq(name, filename)) { DBG1(DBG_PTS, "filename of reference measurement does not match"); - status = FAILED; + success = FALSE; } e->destroy(e); } - if (status != SUCCESS) + if (!success) { - return status; + return FALSE; } /* does hash measurement value already exist? */ e = this->db->query(this->db, - "SELECT fh.id, fh.hash FROM file_hashes AS fh " - "JOIN versions AS v ON v.id = fh.version " - "WHERE v.product = ? AND fh.algo = ? AND fh.file = ?", - DB_INT, pid, DB_INT, algo, DB_INT, fid, DB_INT, DB_BLOB); + "SELECT id, hash FROM file_hashes " + "WHERE algo = ? AND file = ? AND version = ?", + DB_INT, algo, DB_INT, fid, DB_INT, vid, DB_INT, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } - if (e->enumerate(e, &hash_id, &hash_value)) + if (e->enumerate(e, &hash_id, &hex_hash_buf)) { - if (!chunk_equals_const(measurement, hash_value)) + hex_hash = chunk_from_str(hex_hash_buf); + hash = chunk_from_hex(hex_hash, hash_buf); + + if (!chunk_equals(measurement, hash)) { /* update hash measurement value */ if (this->db->execute(this->db, &hash_id, "UPDATE file_hashes SET hash = ? WHERE id = ?", DB_BLOB, measurement, DB_INT, hash_id) != 1) { - status = FAILED; + success = FALSE; } } } else { + hex_meas = chunk_to_hex(measurement, hex_meas_buf, FALSE); + hex_meas_buf[hex_meas.len] = '\0'; + /* insert hash measurement value */ if (this->db->execute(this->db, &hash_id, - "INSERT INTO file_hashes (file, product, algo, hash) " - "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, pid, - DB_INT, algo, DB_BLOB, measurement) != 1) + "INSERT INTO file_hashes (file, version, algo, hash) " + "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, vid, + DB_INT, algo, DB_TEXT, hex_meas_buf) != 1) { - status = FAILED; + success = FALSE; } } e->destroy(e); - return status; + return success; } METHOD(pts_database_t, create_file_meas_enumerator, enumerator_t*, @@ -296,7 +355,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, while (e->enumerate(e, &hash)) { - if (chunk_equals_const(hash, measurement)) + if (chunk_equals(hash, measurement)) { status = SUCCESS; break; @@ -424,6 +483,7 @@ pts_database_t *pts_database_create(imv_database_t *imv_db) .public = { .get_pathname = _get_pathname, .create_file_hash_enumerator = _create_file_hash_enumerator, + .get_product_version = _get_product_version, .add_file_measurement = _add_file_measurement, .create_file_meas_enumerator = _create_file_meas_enumerator, .check_comp_measurement = _check_comp_measurement, diff --git a/src/libimcv/pts/pts_database.h b/src/libimcv/pts/pts_database.h index a6c9fb3b6..3a5ff5992 100644 --- a/src/libimcv/pts/pts_database.h +++ b/src/libimcv/pts/pts_database.h @@ -60,18 +60,27 @@ struct pts_database_t { /** * Add PTS file measurement reference value * - * @param pid Primary key of software product in database + * @param pid Primary key of platform product + * @param vid Primary key of generic product version + * @return TRUE if successful + */ + bool (*get_product_version)(pts_database_t *this, int pid, int *vid); + + /** + * Add PTS file measurement reference value + * + * @param vid Primary key of generic product version * @param algo File measurement hash algorithm used * @param measurement File measurement hash * @param filename Optional name of the file to be checked * @param is_dir TRUE if part of directory measurement * @param id Primary key into direcories/files table - * @return Status + * @return TRUE if successful */ - status_t (*add_file_measurement)(pts_database_t *this, int pid, - pts_meas_algorithms_t algo, - chunk_t measurement, char *filename, - bool is_dir, int id); + bool (*add_file_measurement)(pts_database_t *this, int vid, + pts_meas_algorithms_t algo, + chunk_t measurement, char *filename, + bool is_dir, int id); /** * Get PTS measurement[s] for a given filename stored in database diff --git a/src/libimcv/pts/pts_file_meas.c b/src/libimcv/pts/pts_file_meas.c index 92f513a2d..2f8935a87 100644 --- a/src/libimcv/pts/pts_file_meas.c +++ b/src/libimcv/pts/pts_file_meas.c @@ -140,7 +140,7 @@ METHOD(pts_file_meas_t, check, bool, { while (e->enumerate(e, &hash)) { - if (chunk_equals_const(entry->measurement, hash)) + if (chunk_equals(entry->measurement, hash)) { status = SUCCESS; break; @@ -193,12 +193,13 @@ METHOD(pts_file_meas_t, verify, bool, { int fid, fid_last = 0; char *filename; - chunk_t measurement; + uint8_t measurement_buf[HASH_SIZE_SHA512], *hex_meas_buf; + chunk_t measurement, hex_meas; entry_t *entry; enumerator_t *enumerator = NULL; bool found = FALSE, match = FALSE, success = TRUE; - while (e_hash->enumerate(e_hash, &fid, &filename, &measurement)) + while (e_hash->enumerate(e_hash, &fid, &filename, &hex_meas_buf)) { if (fid != fid_last) { @@ -241,7 +242,10 @@ METHOD(pts_file_meas_t, verify, bool, if (found && !match) { - if (chunk_equals_const(measurement, entry->measurement)) + hex_meas = chunk_from_str(hex_meas_buf); + measurement = chunk_from_hex(hex_meas, measurement_buf); + + if (chunk_equals(measurement, entry->measurement)) { match = TRUE; DBG2(DBG_PTS, " %#B for '%s' is ok", diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 5245be9fa..fdb03b8ae 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -88,7 +88,7 @@ START_TEST(test_imcv_seg_env) { /* create first segment */ attr = seg_env->first_segment(seg_env, 0); - + seg_env_attr = (tcg_seg_attr_seg_env_t*)attr; segment = seg_env_attr->get_segment(seg_env_attr, &flags); if (max_seg_size > 12) @@ -108,8 +108,8 @@ START_TEST(test_imcv_seg_env) segment = seg_env_attr->get_segment(seg_env_attr, &flags); seg = chunk_create(command + n * max_seg_size - 12, seg_size); ck_assert(chunk_equals(seg, segment)); - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); } /* check built segment envelope attribute */ @@ -137,8 +137,8 @@ START_TEST(test_imcv_seg_env) } else { - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); seg_env1->add_segment(seg_env1, segment, &error); } attr1->destroy(attr1); @@ -341,7 +341,7 @@ START_TEST(test_imcv_seg_contract) ita_attr = (ita_attr_command_t*)base_attr_i; ck_assert(streq(ita_attr->get_command(ita_attr), command)); base_attr_i->destroy(base_attr_i); - } + } contract_i->destroy(contract_i); contract_r->destroy(contract_r); base_attr_r->destroy(base_attr_r); @@ -389,7 +389,7 @@ START_TEST(test_imcv_seg_contract_special) contract_i->get_info_string(contract_i, info, sizeof(info), TRUE); ck_assert(max_attr_size == 1000 && max_seg_size == 47); ck_assert(!contract_i->is_null(contract_i)); - + /* create a null responder contract*/ contract_r = seg_contract_create(msg_type, SEG_CONTRACT_MAX_SIZE_VALUE, SEG_CONTRACT_MAX_SIZE_VALUE, @@ -594,7 +594,7 @@ START_TEST(test_imcv_seg_contract_invalid) TRUE, issuer_id, FALSE); base_attr = contract->add_segment(contract, attr_f, &error, &more); ck_assert(base_attr == NULL); - + if (contract_invalid_tests[_i].err_f) { ck_assert(error); @@ -641,18 +641,18 @@ START_TEST(test_imcv_seg_contract_mgr) contracts = seg_contract_manager_create(); /* add contract template as issuer */ - c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, TRUE, 1, FALSE); c1->get_info_string(c1, buf, BUF_LEN, TRUE); contracts->add_contract(contracts, c1); - + /* received contract request for msg_type1 as responder */ cx = contracts->get_contract(contracts, msg_type1, FALSE, 2); ck_assert(cx == NULL); /* add directed contract as responder */ - c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, FALSE, 2, FALSE); c2->set_responder(c2, 1); c2->get_info_string(c2, buf, BUF_LEN, TRUE); @@ -685,7 +685,7 @@ START_TEST(test_imcv_seg_contract_mgr) ck_assert(cx == NULL); /* add directed contract as responder */ - c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, + c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, FALSE, 2, FALSE); c4->set_responder(c4, 1); contracts->add_contract(contracts, c4); diff --git a/src/libimcv/suites/test_imcv_swima.c b/src/libimcv/suites/test_imcv_swima.c index c54669d1d..a579f7378 100644 --- a/src/libimcv/suites/test_imcv_swima.c +++ b/src/libimcv/suites/test_imcv_swima.c @@ -124,7 +124,7 @@ static req_data_t req_data[] = { START_TEST(test_imcv_swima_sw_req) { pen_type_t type; - pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SW_REQUEST }; + pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }; pa_tnc_attr_t *attr, *attr1, *attr2; ietf_swima_attr_req_t *c_attr; swima_record_t *target; diff --git a/src/libimcv/swid_gen/swid_gen.h b/src/libimcv/swid_gen/swid_gen.h index c143f292d..3a69b984a 100644 --- a/src/libimcv/swid_gen/swid_gen.h +++ b/src/libimcv/swid_gen/swid_gen.h @@ -44,7 +44,7 @@ struct swid_gen_t { char *version, bool full, bool pretty); /** - * Generate a SWID tag + * Generate SWID tags or software identifiers for all installed packages * * @param sw_id_only Return software identifier only * @param full Generate full SWID tags with file information diff --git a/src/libimcv/swima/swima_error.c b/src/libimcv/swima/swima_error.c index 2aed2966b..bce4645f0 100644 --- a/src/libimcv/swima/swima_error.c +++ b/src/libimcv/swima/swima_error.c @@ -59,7 +59,7 @@ pa_tnc_attr_t* swima_error_create(pa_tnc_error_code_t code, uint32_t request_id, writer = bio_writer_create(4); writer->write_uint32(writer, request_id); - if (code == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (code == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { writer->write_uint32(writer, max_attr_size); } diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index e4f0c4411..834be0eeb 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -287,9 +287,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c index 78b4c407a..904f118fd 100644 --- a/src/libipsec/ip_packet.c +++ b/src/libipsec/ip_packet.c @@ -52,7 +52,15 @@ struct ip6_hdr { uint8_t ip6_hlim; struct in6_addr ip6_src, ip6_dst; } __attribute__((packed)); -#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */ +struct ip6_ext { + uint8_t ip6e_nxt; + uint8_t ip6e_len; +} __attribute__((packed)); +#define HAVE_NETINET_IP6_H /* not really, but we only need the structs above */ +#endif + +#ifndef IP_OFFMASK +#define IP_OFFMASK 0x1fff #endif /** @@ -219,6 +227,56 @@ static bool parse_transport_header(chunk_t packet, uint8_t proto, return TRUE; } +#ifdef HAVE_NETINET_IP6_H +/** + * Skip to the actual payload and parse the transport header. + */ +static bool parse_transport_header_v6(struct ip6_hdr *ip, chunk_t packet, + chunk_t *payload, uint8_t *proto, + uint16_t *sport, uint16_t *dport) +{ + struct ip6_ext *ext; + bool fragment = FALSE; + + *proto = ip->ip6_nxt; + *payload = chunk_skip(packet, 40); + while (payload->len >= sizeof(struct ip6_ext)) + { + switch (*proto) + { + case 44: /* Fragment Header */ + fragment = TRUE; + /* skip the header */ + case 0: /* Hop-by-Hop Options Header */ + case 43: /* Routing Header */ + case 60: /* Destination Options Header */ + case 135: /* Mobility Header */ + case 139: /* HIP */ + case 140: /* Shim6 */ + /* simply skip over these headers for now */ + ext = (struct ip6_ext*)payload->ptr; + *proto = ext->ip6e_nxt; + *payload = chunk_skip(*payload, 8 * (ext->ip6e_len + 1)); + continue; + default: + /* assume anything else is an upper layer protocol but only + * attempt to parse the transport header for non-fragmented + * packets as there is no guarantee that initial fragments + * contain the transport header, depending on the number and + * type of extension headers */ + if (!fragment && + !parse_transport_header(*payload, *proto, sport, dport)) + { + return FALSE; + } + break; + } + break; + } + return TRUE; +} +#endif /* HAVE_NETINET_IP6_H */ + /** * Described in header. */ @@ -253,7 +311,8 @@ ip_packet_t *ip_packet_create(chunk_t packet) /* remove any RFC 4303 TFC extra padding */ packet.len = min(packet.len, untoh16(&ip->ip_len)); payload = chunk_skip(packet, ip->ip_hl * 4); - if (!parse_transport_header(payload, ip->ip_p, &sport, &dport)) + if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && + !parse_transport_header(payload, ip->ip_p, &sport, &dport)) { goto failed; } @@ -277,10 +336,8 @@ ip_packet_t *ip_packet_create(chunk_t packet) ip = (struct ip6_hdr*)packet.ptr; /* remove any RFC 4303 TFC extra padding */ packet.len = min(packet.len, 40 + untoh16(&ip->ip6_plen)); - /* we only handle packets without extension headers, just skip the - * basic IPv6 header */ - payload = chunk_skip(packet, 40); - if (!parse_transport_header(payload, ip->ip6_nxt, &sport, &dport)) + if (!parse_transport_header_v6(ip, packet, &payload, &next_header, + &sport, &dport)) { goto failed; } @@ -288,7 +345,6 @@ ip_packet_t *ip_packet_create(chunk_t packet) chunk_from_thing(ip->ip6_src), sport); dst = host_create_from_chunk(AF_INET6, chunk_from_thing(ip->ip6_dst), dport); - next_header = ip->ip6_nxt; break; } #endif /* HAVE_NETINET_IP6_H */ diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 957d930f2..44d35244a 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -107,6 +107,11 @@ typedef struct { ipsec_sa_entry_t *entry; /** + * SPI of the expired entry + */ + uint32_t spi; + + /** * 0 if this is a hard expire, otherwise the offset in s (soft->hard) */ uint32_t hard_offset; @@ -314,8 +319,9 @@ static job_requeue_t sa_expired(ipsec_sa_expired_t *expired) private_ipsec_sa_mgr_t *this = expired->manager; this->mutex->lock(this->mutex); - if (this->sas->find_first(this->sas, NULL, (void**)&expired->entry)) - { + if (this->sas->find_first(this->sas, NULL, (void**)&expired->entry) && + expired->spi == expired->entry->sa->get_spi(expired->entry->sa)) + { /* only if we find the right SA at this pointer location */ uint32_t hard_offset; hard_offset = expired->hard_offset; @@ -355,6 +361,7 @@ static void schedule_expiration(private_ipsec_sa_mgr_t *this, INIT(expired, .manager = this, .entry = entry, + .spi = entry->sa->get_spi(entry->sa), ); /* schedule a rekey first, a hard timeout will be scheduled then, if any */ diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in index 5b6c53075..ab5af4634 100644 --- a/src/libipsec/tests/Makefile.in +++ b/src/libipsec/tests/Makefile.in @@ -240,9 +240,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index 0185a3961..c0119f12b 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in index 794b4b447..4e5936ffc 100644 --- a/src/libradius/Makefile.in +++ b/src/libradius/Makefile.in @@ -240,9 +240,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index df1da70f4..edd978d78 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index afca13428..0247add96 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -20,6 +20,7 @@ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ +credentials/keys/signature_params.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ credentials/certificates/certificate_printer.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b4d8452f1..a9759aeee 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -18,6 +18,7 @@ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ +credentials/keys/signature_params.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ credentials/certificates/certificate_printer.c \ @@ -79,6 +80,7 @@ crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ +credentials/keys/signature_params.h \ credentials/certificates/certificate.h credentials/certificates/x509.h \ credentials/certificates/ac.h credentials/certificates/crl.h \ credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ @@ -96,6 +98,7 @@ fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \ networking/host.h networking/host_resolver.h networking/packet.h \ networking/tun_device.h networking/streams/stream.h \ networking/streams/stream_unix.h networking/streams/stream_service_unix.h \ +networking/streams/stream_service_systemd.h \ networking/streams/stream_tcp.h networking/streams/stream_service_tcp.h \ networking/streams/stream_service.h networking/streams/stream_manager.h \ resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \ @@ -192,19 +195,28 @@ if USE_LIBCAP libstrongswan_la_LIBADD += -lcap endif +if USE_SYSTEMD + AM_CPPFLAGS += $(systemd_CFLAGS) -DUSE_SYSTEMD + libstrongswan_la_SOURCES += networking/streams/stream_service_systemd.c + libstrongswan_la_LIBADD += $(systemd_LIBS) +endif + EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ +crypto/proposal/proposal_keywords_static.h.in \ plugins/plugin_constructors.py \ Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c \ settings/settings_parser.h MAINTAINERCLEANFILES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c $(srcdir)/asn1/oid.c : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt @@ -215,6 +227,12 @@ $(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt $(AM_V_GEN) \ (cd $(srcdir)/asn1/ && $(PERL) oid.pl) +$(srcdir)/crypto/proposal/proposal_keywords_static.h: $(srcdir)/crypto/proposal/proposal_keywords_static.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + $(srcdir)/crypto/proposal/proposal_keywords_static.c: $(srcdir)/crypto/proposal/proposal_keywords_static.txt \ $(srcdir)/crypto/proposal/proposal_keywords_static.h $(AM_V_GEN) \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 16e585654..356670dad 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -123,129 +123,132 @@ host_triplet = @host@ @USE_BUILTIN_PRINTF_TRUE@am__append_15 = -lm @USE_BUILTIN_PRINTF_FALSE@@USE_VSTR_FALSE@am__append_16 = utils/printf_hook/printf_hook_glibc.c @USE_LIBCAP_TRUE@am__append_17 = -lcap -@STATIC_PLUGIN_CONSTRUCTORS_TRUE@am__append_18 = $(srcdir)/plugin_constructors.c +@USE_SYSTEMD_TRUE@am__append_18 = $(systemd_CFLAGS) -DUSE_SYSTEMD +@USE_SYSTEMD_TRUE@am__append_19 = networking/streams/stream_service_systemd.c +@USE_SYSTEMD_TRUE@am__append_20 = $(systemd_LIBS) +@STATIC_PLUGIN_CONSTRUCTORS_TRUE@am__append_21 = $(srcdir)/plugin_constructors.c # build libnttfft used by some plugins ###################################### -@USE_LIBNTTFFT_TRUE@am__append_19 = math/libnttfft +@USE_LIBNTTFFT_TRUE@am__append_22 = math/libnttfft # build plugins with their own Makefile ####################################### -@USE_AF_ALG_TRUE@am__append_20 = plugins/af_alg -@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_21 = plugins/af_alg/libstrongswan-af-alg.la -@USE_AES_TRUE@am__append_22 = plugins/aes -@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_23 = plugins/aes/libstrongswan-aes.la -@USE_DES_TRUE@am__append_24 = plugins/des -@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_25 = plugins/des/libstrongswan-des.la -@USE_BLOWFISH_TRUE@am__append_26 = plugins/blowfish -@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_27 = plugins/blowfish/libstrongswan-blowfish.la -@USE_RC2_TRUE@am__append_28 = plugins/rc2 -@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_29 = plugins/rc2/libstrongswan-rc2.la -@USE_MD4_TRUE@am__append_30 = plugins/md4 -@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_31 = plugins/md4/libstrongswan-md4.la -@USE_MD5_TRUE@am__append_32 = plugins/md5 -@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_33 = plugins/md5/libstrongswan-md5.la -@USE_SHA1_TRUE@am__append_34 = plugins/sha1 -@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_35 = plugins/sha1/libstrongswan-sha1.la -@USE_SHA2_TRUE@am__append_36 = plugins/sha2 -@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_37 = plugins/sha2/libstrongswan-sha2.la -@USE_SHA3_TRUE@am__append_38 = plugins/sha3 -@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_39 = plugins/sha3/libstrongswan-sha3.la -@USE_GMP_TRUE@am__append_40 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_41 = plugins/gmp/libstrongswan-gmp.la -@USE_CURVE25519_TRUE@am__append_42 = plugins/curve25519 -@MONOLITHIC_TRUE@@USE_CURVE25519_TRUE@am__append_43 = plugins/curve25519/libstrongswan-curve25519.la -@USE_RDRAND_TRUE@am__append_44 = plugins/rdrand -@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_45 = plugins/rdrand/libstrongswan-rdrand.la -@USE_AESNI_TRUE@am__append_46 = plugins/aesni -@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_47 = plugins/aesni/libstrongswan-aesni.la -@USE_RANDOM_TRUE@am__append_48 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_49 = plugins/random/libstrongswan-random.la -@USE_NONCE_TRUE@am__append_50 = plugins/nonce -@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_51 = plugins/nonce/libstrongswan-nonce.la -@USE_HMAC_TRUE@am__append_52 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_53 = plugins/hmac/libstrongswan-hmac.la -@USE_CMAC_TRUE@am__append_54 = plugins/cmac -@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_55 = plugins/cmac/libstrongswan-cmac.la -@USE_XCBC_TRUE@am__append_56 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_57 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_58 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_59 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_60 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_61 = plugins/revocation/libstrongswan-revocation.la -@USE_CONSTRAINTS_TRUE@am__append_62 = plugins/constraints -@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_63 = plugins/constraints/libstrongswan-constraints.la -@USE_ACERT_TRUE@am__append_64 = plugins/acert -@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_65 = plugins/acert/libstrongswan-acert.la -@USE_PUBKEY_TRUE@am__append_66 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_67 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_68 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_69 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_70 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_71 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_72 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_73 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_74 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_75 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_76 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_77 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_78 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_79 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_80 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_81 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_82 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_83 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_84 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_85 = plugins/curl/libstrongswan-curl.la -@USE_FILES_TRUE@am__append_86 = plugins/files -@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_87 = plugins/files/libstrongswan-files.la -@USE_WINHTTP_TRUE@am__append_88 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_89 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_90 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_91 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_92 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_93 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_94 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_95 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_96 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_97 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_98 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_99 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_100 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_101 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_102 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_103 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_104 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_105 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_106 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_107 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_108 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_109 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_110 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_111 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_112 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_113 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CHAPOLY_TRUE@am__append_114 = plugins/chapoly -@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_115 = plugins/chapoly/libstrongswan-chapoly.la -@USE_CTR_TRUE@am__append_116 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_117 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_118 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_119 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_120 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_121 = plugins/gcm/libstrongswan-gcm.la -@USE_MGF1_TRUE@am__append_122 = plugins/mgf1 -@MONOLITHIC_TRUE@@USE_MGF1_TRUE@am__append_123 = plugins/mgf1/libstrongswan-mgf1.la -@USE_NTRU_TRUE@am__append_124 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_125 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_126 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_127 = plugins/bliss/libstrongswan-bliss.la -@USE_NEWHOPE_TRUE@am__append_128 = plugins/newhope -@MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE@am__append_129 = plugins/newhope/libstrongswan-newhope.la -@USE_TEST_VECTORS_TRUE@am__append_130 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_131 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_LIBNTTFFT_TRUE@am__append_132 = math/libnttfft/tests -@USE_BLISS_TRUE@am__append_133 = plugins/bliss/tests -@USE_NEWHOPE_TRUE@am__append_134 = plugins/newhope/tests +@USE_AF_ALG_TRUE@am__append_23 = plugins/af_alg +@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_24 = plugins/af_alg/libstrongswan-af-alg.la +@USE_AES_TRUE@am__append_25 = plugins/aes +@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_26 = plugins/aes/libstrongswan-aes.la +@USE_DES_TRUE@am__append_27 = plugins/des +@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_28 = plugins/des/libstrongswan-des.la +@USE_BLOWFISH_TRUE@am__append_29 = plugins/blowfish +@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_30 = plugins/blowfish/libstrongswan-blowfish.la +@USE_RC2_TRUE@am__append_31 = plugins/rc2 +@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_32 = plugins/rc2/libstrongswan-rc2.la +@USE_MD4_TRUE@am__append_33 = plugins/md4 +@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_34 = plugins/md4/libstrongswan-md4.la +@USE_MD5_TRUE@am__append_35 = plugins/md5 +@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_36 = plugins/md5/libstrongswan-md5.la +@USE_SHA1_TRUE@am__append_37 = plugins/sha1 +@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_38 = plugins/sha1/libstrongswan-sha1.la +@USE_SHA2_TRUE@am__append_39 = plugins/sha2 +@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_40 = plugins/sha2/libstrongswan-sha2.la +@USE_SHA3_TRUE@am__append_41 = plugins/sha3 +@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_42 = plugins/sha3/libstrongswan-sha3.la +@USE_GMP_TRUE@am__append_43 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_44 = plugins/gmp/libstrongswan-gmp.la +@USE_CURVE25519_TRUE@am__append_45 = plugins/curve25519 +@MONOLITHIC_TRUE@@USE_CURVE25519_TRUE@am__append_46 = plugins/curve25519/libstrongswan-curve25519.la +@USE_RDRAND_TRUE@am__append_47 = plugins/rdrand +@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_48 = plugins/rdrand/libstrongswan-rdrand.la +@USE_AESNI_TRUE@am__append_49 = plugins/aesni +@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_50 = plugins/aesni/libstrongswan-aesni.la +@USE_RANDOM_TRUE@am__append_51 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_52 = plugins/random/libstrongswan-random.la +@USE_NONCE_TRUE@am__append_53 = plugins/nonce +@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_54 = plugins/nonce/libstrongswan-nonce.la +@USE_HMAC_TRUE@am__append_55 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_56 = plugins/hmac/libstrongswan-hmac.la +@USE_CMAC_TRUE@am__append_57 = plugins/cmac +@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_58 = plugins/cmac/libstrongswan-cmac.la +@USE_XCBC_TRUE@am__append_59 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_60 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_61 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_62 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_63 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_64 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_65 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_66 = plugins/constraints/libstrongswan-constraints.la +@USE_ACERT_TRUE@am__append_67 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_68 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_69 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_70 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_71 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_72 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_73 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_74 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_75 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_76 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_77 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_78 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_79 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_80 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_81 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_82 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_83 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_84 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_85 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_86 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_87 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_88 = plugins/curl/libstrongswan-curl.la +@USE_FILES_TRUE@am__append_89 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_90 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_91 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_92 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_93 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_94 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_95 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_96 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_97 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_98 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_99 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_100 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_101 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_102 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_103 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_104 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_105 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_106 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_107 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_108 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_109 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_110 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_111 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_112 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_113 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_114 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_115 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_116 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CHAPOLY_TRUE@am__append_117 = plugins/chapoly +@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_118 = plugins/chapoly/libstrongswan-chapoly.la +@USE_CTR_TRUE@am__append_119 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_120 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_121 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_122 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_123 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_124 = plugins/gcm/libstrongswan-gcm.la +@USE_MGF1_TRUE@am__append_125 = plugins/mgf1 +@MONOLITHIC_TRUE@@USE_MGF1_TRUE@am__append_126 = plugins/mgf1/libstrongswan-mgf1.la +@USE_NTRU_TRUE@am__append_127 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_128 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_129 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_130 = plugins/bliss/libstrongswan-bliss.la +@USE_NEWHOPE_TRUE@am__append_131 = plugins/newhope +@MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE@am__append_132 = plugins/newhope/libstrongswan-newhope.la +@USE_TEST_VECTORS_TRUE@am__append_133 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_134 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_LIBNTTFFT_TRUE@am__append_135 = math/libnttfft/tests +@USE_BLISS_TRUE@am__append_136 = plugins/bliss/tests +@USE_NEWHOPE_TRUE@am__append_137 = plugins/newhope/tests subdir = src/libstrongswan ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -299,32 +302,33 @@ am__installdirs = "$(DESTDIR)$(ipseclibdir)" \ LTLIBRARIES = $(ipseclib_LTLIBRARIES) am__DEPENDENCIES_1 = @USE_WINDOWS_FALSE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) +@USE_SYSTEMD_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1) libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_21) \ - $(am__append_23) $(am__append_25) $(am__append_27) \ - $(am__append_29) $(am__append_31) $(am__append_33) \ - $(am__append_35) $(am__append_37) $(am__append_39) \ - $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_61) $(am__append_63) \ - $(am__append_65) $(am__append_67) $(am__append_69) \ - $(am__append_71) $(am__append_73) $(am__append_75) \ - $(am__append_77) $(am__append_79) $(am__append_81) \ - $(am__append_83) $(am__append_85) $(am__append_87) \ - $(am__append_89) $(am__append_91) $(am__append_93) \ - $(am__append_95) $(am__append_97) $(am__append_99) \ - $(am__append_101) $(am__append_103) $(am__append_105) \ - $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) $(am__append_123) \ - $(am__append_125) $(am__append_127) $(am__append_129) \ - $(am__append_131) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_3) $(am__append_24) $(am__append_26) \ + $(am__append_28) $(am__append_30) $(am__append_32) \ + $(am__append_34) $(am__append_36) $(am__append_38) \ + $(am__append_40) $(am__append_42) $(am__append_44) \ + $(am__append_46) $(am__append_48) $(am__append_50) \ + $(am__append_52) $(am__append_54) $(am__append_56) \ + $(am__append_58) $(am__append_60) $(am__append_62) \ + $(am__append_64) $(am__append_66) $(am__append_68) \ + $(am__append_70) $(am__append_72) $(am__append_74) \ + $(am__append_76) $(am__append_78) $(am__append_80) \ + $(am__append_82) $(am__append_84) $(am__append_86) \ + $(am__append_88) $(am__append_90) $(am__append_92) \ + $(am__append_94) $(am__append_96) $(am__append_98) \ + $(am__append_100) $(am__append_102) $(am__append_104) \ + $(am__append_106) $(am__append_108) $(am__append_110) \ + $(am__append_112) $(am__append_114) $(am__append_116) \ + $(am__append_118) $(am__append_120) $(am__append_122) \ + $(am__append_124) $(am__append_126) $(am__append_128) \ + $(am__append_130) $(am__append_132) $(am__append_134) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -344,6 +348,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ + credentials/keys/signature_params.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -390,7 +395,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ utils/compat/windows.c utils/leak_detective.c \ utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \ utils/printf_hook/printf_hook_builtin.c \ - utils/printf_hook/printf_hook_glibc.c + utils/printf_hook/printf_hook_glibc.c \ + networking/streams/stream_service_systemd.c am__dirstamp = $(am__leading_dot)dirstamp @USE_WINDOWS_FALSE@am__objects_1 = threading/thread.lo \ @USE_WINDOWS_FALSE@ threading/thread_value.lo \ @@ -411,6 +417,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @USE_VSTR_TRUE@am__objects_5 = utils/printf_hook/printf_hook_vstr.lo @USE_BUILTIN_PRINTF_TRUE@am__objects_6 = utils/printf_hook/printf_hook_builtin.lo @USE_BUILTIN_PRINTF_FALSE@@USE_VSTR_FALSE@am__objects_7 = utils/printf_hook/printf_hook_glibc.lo +@USE_SYSTEMD_TRUE@am__objects_8 = networking/streams/stream_service_systemd.lo am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ asn1/asn1_parser.lo asn1/oid.lo bio/bio_reader.lo \ bio/bio_writer.lo collections/blocking_queue.lo \ @@ -431,6 +438,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ credentials/credential_factory.lo credentials/builder.lo \ credentials/cred_encoding.lo credentials/keys/private_key.lo \ credentials/keys/public_key.lo credentials/keys/shared_key.lo \ + credentials/keys/signature_params.lo \ credentials/certificates/certificate.lo \ credentials/certificates/crl.lo \ credentials/certificates/ocsp_response.lo \ @@ -469,7 +477,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ utils/utils/status.lo utils/utils/time.lo utils/utils/align.lo \ $(am__objects_1) $(am__objects_2) $(am__objects_3) \ $(am__objects_4) $(am__objects_5) $(am__objects_6) \ - $(am__objects_7) + $(am__objects_7) $(am__objects_8) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -561,6 +569,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ + credentials/keys/signature_params.h \ credentials/certificates/certificate.h \ credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h \ @@ -584,6 +593,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ networking/tun_device.h networking/streams/stream.h \ networking/streams/stream_unix.h \ networking/streams/stream_service_unix.h \ + networking/streams/stream_service_systemd.h \ networking/streams/stream_tcp.h \ networking/streams/stream_service_tcp.h \ networking/streams/stream_service.h \ @@ -720,9 +730,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -942,6 +954,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ + credentials/keys/signature_params.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -979,7 +992,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ utils/utils/path.c utils/utils/status.c utils/utils/time.c \ utils/utils/align.c $(am__append_1) $(am__append_3) \ $(am__append_8) $(am__append_11) $(am__append_12) \ - $(am__append_14) $(am__append_16) + $(am__append_14) $(am__append_16) $(am__append_19) # private header files noinst_HEADERS = \ @@ -1003,6 +1016,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \ @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \ @USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \ +@USE_DEV_HEADERS_TRUE@credentials/keys/signature_params.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/certificate.h credentials/certificates/x509.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/ac.h credentials/certificates/crl.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ @@ -1020,6 +1034,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \ @USE_DEV_HEADERS_TRUE@networking/tun_device.h networking/streams/stream.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_unix.h networking/streams/stream_service_unix.h \ +@USE_DEV_HEADERS_TRUE@networking/streams/stream_service_systemd.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_tcp.h networking/streams/stream_service_tcp.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_service.h networking/streams/stream_manager.h \ @USE_DEV_HEADERS_TRUE@resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \ @@ -1044,31 +1059,32 @@ settings/settings_types.h libstrongswan_la_LIBADD = $(DLLIB) $(ATOMICLIB) $(BTLIB) $(SOCKLIB) \ $(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_2) \ $(am__append_4) $(am__append_5) $(am__append_13) \ - $(am__append_15) $(am__append_17) $(am__append_21) \ - $(am__append_23) $(am__append_25) $(am__append_27) \ - $(am__append_29) $(am__append_31) $(am__append_33) \ - $(am__append_35) $(am__append_37) $(am__append_39) \ - $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_61) $(am__append_63) \ - $(am__append_65) $(am__append_67) $(am__append_69) \ - $(am__append_71) $(am__append_73) $(am__append_75) \ - $(am__append_77) $(am__append_79) $(am__append_81) \ - $(am__append_83) $(am__append_85) $(am__append_87) \ - $(am__append_89) $(am__append_91) $(am__append_93) \ - $(am__append_95) $(am__append_97) $(am__append_99) \ - $(am__append_101) $(am__append_103) $(am__append_105) \ - $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) $(am__append_123) \ - $(am__append_125) $(am__append_127) $(am__append_129) \ - $(am__append_131) + $(am__append_15) $(am__append_17) $(am__append_20) \ + $(am__append_24) $(am__append_26) $(am__append_28) \ + $(am__append_30) $(am__append_32) $(am__append_34) \ + $(am__append_36) $(am__append_38) $(am__append_40) \ + $(am__append_42) $(am__append_44) $(am__append_46) \ + $(am__append_48) $(am__append_50) $(am__append_52) \ + $(am__append_54) $(am__append_56) $(am__append_58) \ + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) \ + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) $(am__append_86) $(am__append_88) \ + $(am__append_90) $(am__append_92) $(am__append_94) \ + $(am__append_96) $(am__append_98) $(am__append_100) \ + $(am__append_102) $(am__append_104) $(am__append_106) \ + $(am__append_108) $(am__append_110) $(am__append_112) \ + $(am__append_114) $(am__append_116) $(am__append_118) \ + $(am__append_120) $(am__append_122) $(am__append_124) \ + $(am__append_126) $(am__append_128) $(am__append_130) \ + $(am__append_132) $(am__append_134) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_6) \ - $(am__append_7) $(am__append_9) $(am__append_10) + $(am__append_7) $(am__append_9) $(am__append_10) \ + $(am__append_18) AM_CFLAGS = \ @COVERAGE_CFLAGS@ @@ -1079,83 +1095,86 @@ AM_YFLAGS = -v -d EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ +crypto/proposal/proposal_keywords_static.h.in \ plugins/plugin_constructors.py \ Android.mk BUILT_SOURCES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ + $(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c \ - settings/settings_parser.h $(am__append_18) + settings/settings_parser.h $(am__append_21) MAINTAINERCLEANFILES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c # build unit tests ################## -@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_19) $(am__append_20) \ -@MONOLITHIC_FALSE@ $(am__append_22) $(am__append_24) \ -@MONOLITHIC_FALSE@ $(am__append_26) $(am__append_28) \ -@MONOLITHIC_FALSE@ $(am__append_30) $(am__append_32) \ -@MONOLITHIC_FALSE@ $(am__append_34) $(am__append_36) \ -@MONOLITHIC_FALSE@ $(am__append_38) $(am__append_40) \ -@MONOLITHIC_FALSE@ $(am__append_42) $(am__append_44) \ -@MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ -@MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_60) \ -@MONOLITHIC_FALSE@ $(am__append_62) $(am__append_64) \ -@MONOLITHIC_FALSE@ $(am__append_66) $(am__append_68) \ -@MONOLITHIC_FALSE@ $(am__append_70) $(am__append_72) \ -@MONOLITHIC_FALSE@ $(am__append_74) $(am__append_76) \ -@MONOLITHIC_FALSE@ $(am__append_78) $(am__append_80) \ -@MONOLITHIC_FALSE@ $(am__append_82) $(am__append_84) \ -@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ -@MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ -@MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ -@MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \ -@MONOLITHIC_FALSE@ $(am__append_102) $(am__append_104) \ -@MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \ -@MONOLITHIC_FALSE@ $(am__append_122) $(am__append_124) \ -@MONOLITHIC_FALSE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_FALSE@ $(am__append_130) tests $(am__append_132) \ -@MONOLITHIC_FALSE@ $(am__append_133) $(am__append_134) +@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_22) $(am__append_23) \ +@MONOLITHIC_FALSE@ $(am__append_25) $(am__append_27) \ +@MONOLITHIC_FALSE@ $(am__append_29) $(am__append_31) \ +@MONOLITHIC_FALSE@ $(am__append_33) $(am__append_35) \ +@MONOLITHIC_FALSE@ $(am__append_37) $(am__append_39) \ +@MONOLITHIC_FALSE@ $(am__append_41) $(am__append_43) \ +@MONOLITHIC_FALSE@ $(am__append_45) $(am__append_47) \ +@MONOLITHIC_FALSE@ $(am__append_49) $(am__append_51) \ +@MONOLITHIC_FALSE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_FALSE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_FALSE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_FALSE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ +@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_87) \ +@MONOLITHIC_FALSE@ $(am__append_89) $(am__append_91) \ +@MONOLITHIC_FALSE@ $(am__append_93) $(am__append_95) \ +@MONOLITHIC_FALSE@ $(am__append_97) $(am__append_99) \ +@MONOLITHIC_FALSE@ $(am__append_101) $(am__append_103) \ +@MONOLITHIC_FALSE@ $(am__append_105) $(am__append_107) \ +@MONOLITHIC_FALSE@ $(am__append_109) $(am__append_111) \ +@MONOLITHIC_FALSE@ $(am__append_113) $(am__append_115) \ +@MONOLITHIC_FALSE@ $(am__append_117) $(am__append_119) \ +@MONOLITHIC_FALSE@ $(am__append_121) $(am__append_123) \ +@MONOLITHIC_FALSE@ $(am__append_125) $(am__append_127) \ +@MONOLITHIC_FALSE@ $(am__append_129) $(am__append_131) \ +@MONOLITHIC_FALSE@ $(am__append_133) tests $(am__append_135) \ +@MONOLITHIC_FALSE@ $(am__append_136) $(am__append_137) # build unit tests ################## -@MONOLITHIC_TRUE@SUBDIRS = $(am__append_19) $(am__append_20) \ -@MONOLITHIC_TRUE@ $(am__append_22) $(am__append_24) \ -@MONOLITHIC_TRUE@ $(am__append_26) $(am__append_28) \ -@MONOLITHIC_TRUE@ $(am__append_30) $(am__append_32) \ -@MONOLITHIC_TRUE@ $(am__append_34) $(am__append_36) \ -@MONOLITHIC_TRUE@ $(am__append_38) $(am__append_40) \ -@MONOLITHIC_TRUE@ $(am__append_42) $(am__append_44) \ -@MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ -@MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_60) \ -@MONOLITHIC_TRUE@ $(am__append_62) $(am__append_64) \ -@MONOLITHIC_TRUE@ $(am__append_66) $(am__append_68) \ -@MONOLITHIC_TRUE@ $(am__append_70) $(am__append_72) \ -@MONOLITHIC_TRUE@ $(am__append_74) $(am__append_76) \ -@MONOLITHIC_TRUE@ $(am__append_78) $(am__append_80) \ -@MONOLITHIC_TRUE@ $(am__append_82) $(am__append_84) \ -@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ -@MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ -@MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ -@MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \ -@MONOLITHIC_TRUE@ $(am__append_102) $(am__append_104) \ -@MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \ -@MONOLITHIC_TRUE@ $(am__append_122) $(am__append_124) \ -@MONOLITHIC_TRUE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_TRUE@ $(am__append_130) . tests $(am__append_132) \ -@MONOLITHIC_TRUE@ $(am__append_133) $(am__append_134) +@MONOLITHIC_TRUE@SUBDIRS = $(am__append_22) $(am__append_23) \ +@MONOLITHIC_TRUE@ $(am__append_25) $(am__append_27) \ +@MONOLITHIC_TRUE@ $(am__append_29) $(am__append_31) \ +@MONOLITHIC_TRUE@ $(am__append_33) $(am__append_35) \ +@MONOLITHIC_TRUE@ $(am__append_37) $(am__append_39) \ +@MONOLITHIC_TRUE@ $(am__append_41) $(am__append_43) \ +@MONOLITHIC_TRUE@ $(am__append_45) $(am__append_47) \ +@MONOLITHIC_TRUE@ $(am__append_49) $(am__append_51) \ +@MONOLITHIC_TRUE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_TRUE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_TRUE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_TRUE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ +@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_87) \ +@MONOLITHIC_TRUE@ $(am__append_89) $(am__append_91) \ +@MONOLITHIC_TRUE@ $(am__append_93) $(am__append_95) \ +@MONOLITHIC_TRUE@ $(am__append_97) $(am__append_99) \ +@MONOLITHIC_TRUE@ $(am__append_101) $(am__append_103) \ +@MONOLITHIC_TRUE@ $(am__append_105) $(am__append_107) \ +@MONOLITHIC_TRUE@ $(am__append_109) $(am__append_111) \ +@MONOLITHIC_TRUE@ $(am__append_113) $(am__append_115) \ +@MONOLITHIC_TRUE@ $(am__append_117) $(am__append_119) \ +@MONOLITHIC_TRUE@ $(am__append_121) $(am__append_123) \ +@MONOLITHIC_TRUE@ $(am__append_125) $(am__append_127) \ +@MONOLITHIC_TRUE@ $(am__append_129) $(am__append_131) \ +@MONOLITHIC_TRUE@ $(am__append_133) . tests $(am__append_135) \ +@MONOLITHIC_TRUE@ $(am__append_136) $(am__append_137) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1384,6 +1403,9 @@ credentials/keys/public_key.lo: credentials/keys/$(am__dirstamp) \ credentials/keys/$(DEPDIR)/$(am__dirstamp) credentials/keys/shared_key.lo: credentials/keys/$(am__dirstamp) \ credentials/keys/$(DEPDIR)/$(am__dirstamp) +credentials/keys/signature_params.lo: \ + credentials/keys/$(am__dirstamp) \ + credentials/keys/$(DEPDIR)/$(am__dirstamp) credentials/certificates/$(am__dirstamp): @$(MKDIR_P) credentials/certificates @: > credentials/certificates/$(am__dirstamp) @@ -1700,6 +1722,9 @@ utils/printf_hook/printf_hook_builtin.lo: \ utils/printf_hook/printf_hook_glibc.lo: \ utils/printf_hook/$(am__dirstamp) \ utils/printf_hook/$(DEPDIR)/$(am__dirstamp) +networking/streams/stream_service_systemd.lo: \ + networking/streams/$(am__dirstamp) \ + networking/streams/$(DEPDIR)/$(am__dirstamp) libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS) @@ -1808,6 +1833,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/shared_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/signature_params.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/callback_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/cert_cache.Plo@am__quote@ @@ -1849,6 +1875,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_systemd.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_tcp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_unix.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_tcp.Plo@am__quote@ @@ -2384,6 +2411,12 @@ $(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt $(AM_V_GEN) \ (cd $(srcdir)/asn1/ && $(PERL) oid.pl) +$(srcdir)/crypto/proposal/proposal_keywords_static.h: $(srcdir)/crypto/proposal/proposal_keywords_static.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + $(srcdir)/crypto/proposal/proposal_keywords_static.c: $(srcdir)/crypto/proposal/proposal_keywords_static.txt \ $(srcdir)/crypto/proposal/proposal_keywords_static.h $(AM_V_GEN) \ diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 8b9dc1c48..3f3a5c587 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -33,7 +33,15 @@ const chunk_t ASN1_INTEGER_1 = chunk_from_chars(0x02, 0x01, 0x01); const chunk_t ASN1_INTEGER_2 = chunk_from_chars(0x02, 0x01, 0x02); /* - * Defined in header. + * Described in header + */ +chunk_t asn1_algorithmIdentifier_params(int oid, chunk_t params) +{ + return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(oid), params); +} + +/* + * Described in header */ chunk_t asn1_algorithmIdentifier(int oid) { @@ -55,7 +63,7 @@ chunk_t asn1_algorithmIdentifier(int oid) parameters = asn1_simple_object(ASN1_NULL, chunk_empty); break; } - return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(oid), parameters); + return asn1_algorithmIdentifier_params(oid, parameters); } /* @@ -609,6 +617,26 @@ uint64_t asn1_parse_integer_uint64(chunk_t blob) return val; } +/* + * Described in header + */ +chunk_t asn1_integer_from_uint64(uint64_t val) +{ + u_char buf[sizeof(val)]; + chunk_t enc = chunk_empty; + + if (val < 0x100) + { + buf[0] = (u_char)val; + return chunk_clone(chunk_create(buf, 1)); + } + for (enc.ptr = buf + sizeof(val); val; enc.len++, val >>= 8) + { /* fill the buffer from the end */ + *(--enc.ptr) = val & 0xff; + } + return chunk_clone(enc); +} + /** * ASN.1 definition of an algorithmIdentifier */ diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index f0b3e17e8..3c7389e5c 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -1,8 +1,8 @@ /* + * Copyright (C) 2011-2017 Tobias Brunner * Copyright (C) 2006 Martin Will * Copyright (C) 2000-2008 Andreas Steffen - * - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -92,14 +92,23 @@ extern const chunk_t ASN1_INTEGER_2; /** Some ASN.1 analysis functions */ /** - * Build an algorithmIdentifier from a known OID. + * Build an algorithmIdentifier from a known OID with empty parameters. * * @param oid known OID index - * @return body of the corresponding OID, allocated + * @return body of the corresponding ASN.1 structure, allocated */ chunk_t asn1_algorithmIdentifier(int oid); /** + * Build an algorithmIdentifier from a known OID and the given prameters. + * + * @param oid known OID index + * @param params parameters to encode in the algorithmIdentifier (adopted) + * @return body of the corresponding ASN.1 structure, allocated + */ +chunk_t asn1_algorithmIdentifier_params(int oid, chunk_t params); + +/** * Converts an ASN.1 OID into a known OID index * * @param object body of an OID @@ -181,6 +190,14 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level0, uint64_t asn1_parse_integer_uint64(chunk_t blob); /** + * Converts an uint64_t to an ASN.1 INTEGER object. + * + * @param val integer to convert + * @return body of an ASN.1 coded integer object + */ +chunk_t asn1_integer_from_uint64(uint64_t val); + +/** * Print the value of an ASN.1 simple object * * @param object ASN.1 object to be printed diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index bb423dcac..6d9f98ee4 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -28,478 +28,482 @@ const oid_t oid_names[] = { { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, 9, "UID" }, /* 16 */ { 0x19, 0, 0, 9, "DC" }, /* 17 */ - {0x55, 67, 1, 0, "X.500" }, /* 18 */ - { 0x04, 39, 1, 1, "X.509" }, /* 19 */ + {0x55, 70, 1, 0, "X.500" }, /* 18 */ + { 0x04, 42, 1, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, 2, "CN" }, /* 20 */ { 0x04, 22, 0, 2, "S" }, /* 21 */ { 0x05, 23, 0, 2, "SN" }, /* 22 */ { 0x06, 24, 0, 2, "C" }, /* 23 */ { 0x07, 25, 0, 2, "L" }, /* 24 */ { 0x08, 26, 0, 2, "ST" }, /* 25 */ - { 0x0A, 27, 0, 2, "O" }, /* 26 */ - { 0x0B, 28, 0, 2, "OU" }, /* 27 */ - { 0x0C, 29, 0, 2, "T" }, /* 28 */ - { 0x0D, 30, 0, 2, "D" }, /* 29 */ - { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ - { 0x29, 32, 0, 2, "N" }, /* 31 */ - { 0x2A, 33, 0, 2, "G" }, /* 32 */ - { 0x2B, 34, 0, 2, "I" }, /* 33 */ - { 0x2D, 35, 0, 2, "ID" }, /* 34 */ - { 0x2E, 36, 0, 2, "dnQualifier" }, /* 35 */ - { 0x36, 37, 0, 2, "dmdName" }, /* 36 */ - { 0x41, 38, 0, 2, "pseudonym" }, /* 37 */ - { 0x48, 0, 0, 2, "role" }, /* 38 */ - { 0x1D, 0, 1, 1, "id-ce" }, /* 39 */ - { 0x09, 41, 0, 2, "subjectDirectoryAttrs" }, /* 40 */ - { 0x0E, 42, 0, 2, "subjectKeyIdentifier" }, /* 41 */ - { 0x0F, 43, 0, 2, "keyUsage" }, /* 42 */ - { 0x10, 44, 0, 2, "privateKeyUsagePeriod" }, /* 43 */ - { 0x11, 45, 0, 2, "subjectAltName" }, /* 44 */ - { 0x12, 46, 0, 2, "issuerAltName" }, /* 45 */ - { 0x13, 47, 0, 2, "basicConstraints" }, /* 46 */ - { 0x14, 48, 0, 2, "crlNumber" }, /* 47 */ - { 0x15, 49, 0, 2, "reasonCode" }, /* 48 */ - { 0x17, 50, 0, 2, "holdInstructionCode" }, /* 49 */ - { 0x18, 51, 0, 2, "invalidityDate" }, /* 50 */ - { 0x1B, 52, 0, 2, "deltaCrlIndicator" }, /* 51 */ - { 0x1C, 53, 0, 2, "issuingDistributionPoint" }, /* 52 */ - { 0x1D, 54, 0, 2, "certificateIssuer" }, /* 53 */ - { 0x1E, 55, 0, 2, "nameConstraints" }, /* 54 */ - { 0x1F, 56, 0, 2, "crlDistributionPoints" }, /* 55 */ - { 0x20, 58, 1, 2, "certificatePolicies" }, /* 56 */ - { 0x00, 0, 0, 3, "anyPolicy" }, /* 57 */ - { 0x21, 59, 0, 2, "policyMappings" }, /* 58 */ - { 0x23, 60, 0, 2, "authorityKeyIdentifier" }, /* 59 */ - { 0x24, 61, 0, 2, "policyConstraints" }, /* 60 */ - { 0x25, 63, 1, 2, "extendedKeyUsage" }, /* 61 */ - { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 62 */ - { 0x2E, 64, 0, 2, "freshestCRL" }, /* 63 */ - { 0x36, 65, 0, 2, "inhibitAnyPolicy" }, /* 64 */ - { 0x37, 66, 0, 2, "targetInformation" }, /* 65 */ - { 0x38, 0, 0, 2, "noRevAvail" }, /* 66 */ - {0x2A, 191, 1, 0, "" }, /* 67 */ - { 0x83, 80, 1, 1, "" }, /* 68 */ - { 0x08, 0, 1, 2, "jp" }, /* 69 */ - { 0x8C, 0, 1, 3, "" }, /* 70 */ - { 0x9A, 0, 1, 4, "" }, /* 71 */ - { 0x4B, 0, 1, 5, "" }, /* 72 */ - { 0x3D, 0, 1, 6, "" }, /* 73 */ - { 0x01, 0, 1, 7, "security" }, /* 74 */ - { 0x01, 0, 1, 8, "algorithm" }, /* 75 */ - { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 76 */ - { 0x02, 78, 0, 10, "camellia128-cbc" }, /* 77 */ - { 0x03, 79, 0, 10, "camellia192-cbc" }, /* 78 */ - { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 79 */ - { 0x86, 0, 1, 1, "" }, /* 80 */ - { 0x48, 0, 1, 2, "us" }, /* 81 */ - { 0x86, 150, 1, 3, "" }, /* 82 */ - { 0xF6, 88, 1, 4, "" }, /* 83 */ - { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 84 */ - { 0x07, 0, 1, 6, "Entrust" }, /* 85 */ - { 0x41, 0, 1, 7, "nsn-ce" }, /* 86 */ - { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 87 */ - { 0xF7, 0, 1, 4, "" }, /* 88 */ - { 0x0D, 0, 1, 5, "RSADSI" }, /* 89 */ - { 0x01, 145, 1, 6, "PKCS" }, /* 90 */ - { 0x01, 103, 1, 7, "PKCS-1" }, /* 91 */ - { 0x01, 93, 0, 8, "rsaEncryption" }, /* 92 */ - { 0x02, 94, 0, 8, "md2WithRSAEncryption" }, /* 93 */ - { 0x04, 95, 0, 8, "md5WithRSAEncryption" }, /* 94 */ - { 0x05, 96, 0, 8, "sha-1WithRSAEncryption" }, /* 95 */ - { 0x07, 97, 0, 8, "id-RSAES-OAEP" }, /* 96 */ - { 0x08, 98, 0, 8, "id-mgf1" }, /* 97 */ - { 0x09, 99, 0, 8, "id-pSpecified" }, /* 98 */ - { 0x0B, 100, 0, 8, "sha256WithRSAEncryption" }, /* 99 */ - { 0x0C, 101, 0, 8, "sha384WithRSAEncryption" }, /* 100 */ - { 0x0D, 102, 0, 8, "sha512WithRSAEncryption" }, /* 101 */ - { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 102 */ - { 0x05, 108, 1, 7, "PKCS-5" }, /* 103 */ - { 0x03, 105, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 104 */ - { 0x0A, 106, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 105 */ - { 0x0C, 107, 0, 8, "id-PBKDF2" }, /* 106 */ - { 0x0D, 0, 0, 8, "id-PBES2" }, /* 107 */ - { 0x07, 115, 1, 7, "PKCS-7" }, /* 108 */ - { 0x01, 110, 0, 8, "data" }, /* 109 */ - { 0x02, 111, 0, 8, "signedData" }, /* 110 */ - { 0x03, 112, 0, 8, "envelopedData" }, /* 111 */ - { 0x04, 113, 0, 8, "signedAndEnvelopedData" }, /* 112 */ - { 0x05, 114, 0, 8, "digestedData" }, /* 113 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 114 */ - { 0x09, 129, 1, 7, "PKCS-9" }, /* 115 */ - { 0x01, 117, 0, 8, "E" }, /* 116 */ - { 0x02, 118, 0, 8, "unstructuredName" }, /* 117 */ - { 0x03, 119, 0, 8, "contentType" }, /* 118 */ - { 0x04, 120, 0, 8, "messageDigest" }, /* 119 */ - { 0x05, 121, 0, 8, "signingTime" }, /* 120 */ - { 0x06, 122, 0, 8, "counterSignature" }, /* 121 */ - { 0x07, 123, 0, 8, "challengePassword" }, /* 122 */ - { 0x08, 124, 0, 8, "unstructuredAddress" }, /* 123 */ - { 0x0E, 125, 0, 8, "extensionRequest" }, /* 124 */ - { 0x0F, 126, 0, 8, "S/MIME Capabilities" }, /* 125 */ - { 0x16, 0, 1, 8, "certTypes" }, /* 126 */ - { 0x01, 128, 0, 9, "X.509" }, /* 127 */ - { 0x02, 0, 0, 9, "SDSI" }, /* 128 */ - { 0x0c, 0, 1, 7, "PKCS-12" }, /* 129 */ - { 0x01, 137, 1, 8, "pbeIds" }, /* 130 */ - { 0x01, 132, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 131 */ - { 0x02, 133, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 132 */ - { 0x03, 134, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC" }, /* 133 */ - { 0x04, 135, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC" }, /* 134 */ - { 0x05, 136, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 135 */ - { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 136 */ - { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 137 */ - { 0x01, 0, 1, 9, "bagIds" }, /* 138 */ - { 0x01, 140, 0, 10, "keyBag" }, /* 139 */ - { 0x02, 141, 0, 10, "pkcs8ShroudedKeyBag" }, /* 140 */ - { 0x03, 142, 0, 10, "certBag" }, /* 141 */ - { 0x04, 143, 0, 10, "crlBag" }, /* 142 */ - { 0x05, 144, 0, 10, "secretBag" }, /* 143 */ - { 0x06, 0, 0, 10, "safeContentsBag" }, /* 144 */ - { 0x02, 148, 1, 6, "digestAlgorithm" }, /* 145 */ - { 0x02, 147, 0, 7, "md2" }, /* 146 */ - { 0x05, 0, 0, 7, "md5" }, /* 147 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 148 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 149 */ - { 0xCE, 0, 1, 3, "" }, /* 150 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 151 */ - { 0x02, 154, 1, 5, "id-publicKeyType" }, /* 152 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 153 */ - { 0x03, 184, 1, 5, "ellipticCurve" }, /* 154 */ - { 0x00, 176, 1, 6, "c-TwoCurve" }, /* 155 */ - { 0x01, 157, 0, 7, "c2pnb163v1" }, /* 156 */ - { 0x02, 158, 0, 7, "c2pnb163v2" }, /* 157 */ - { 0x03, 159, 0, 7, "c2pnb163v3" }, /* 158 */ - { 0x04, 160, 0, 7, "c2pnb176w1" }, /* 159 */ - { 0x05, 161, 0, 7, "c2tnb191v1" }, /* 160 */ - { 0x06, 162, 0, 7, "c2tnb191v2" }, /* 161 */ - { 0x07, 163, 0, 7, "c2tnb191v3" }, /* 162 */ - { 0x08, 164, 0, 7, "c2onb191v4" }, /* 163 */ - { 0x09, 165, 0, 7, "c2onb191v5" }, /* 164 */ - { 0x0A, 166, 0, 7, "c2pnb208w1" }, /* 165 */ - { 0x0B, 167, 0, 7, "c2tnb239v1" }, /* 166 */ - { 0x0C, 168, 0, 7, "c2tnb239v2" }, /* 167 */ - { 0x0D, 169, 0, 7, "c2tnb239v3" }, /* 168 */ - { 0x0E, 170, 0, 7, "c2onb239v4" }, /* 169 */ - { 0x0F, 171, 0, 7, "c2onb239v5" }, /* 170 */ - { 0x10, 172, 0, 7, "c2pnb272w1" }, /* 171 */ - { 0x11, 173, 0, 7, "c2pnb304w1" }, /* 172 */ - { 0x12, 174, 0, 7, "c2tnb359v1" }, /* 173 */ - { 0x13, 175, 0, 7, "c2pnb368w1" }, /* 174 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 175 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 176 */ - { 0x01, 178, 0, 7, "prime192v1" }, /* 177 */ - { 0x02, 179, 0, 7, "prime192v2" }, /* 178 */ - { 0x03, 180, 0, 7, "prime192v3" }, /* 179 */ - { 0x04, 181, 0, 7, "prime239v1" }, /* 180 */ - { 0x05, 182, 0, 7, "prime239v2" }, /* 181 */ - { 0x06, 183, 0, 7, "prime239v3" }, /* 182 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 183 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 184 */ - { 0x01, 186, 0, 6, "ecdsa-with-SHA1" }, /* 185 */ - { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 186 */ - { 0x01, 188, 0, 7, "ecdsa-with-SHA224" }, /* 187 */ - { 0x02, 189, 0, 7, "ecdsa-with-SHA256" }, /* 188 */ - { 0x03, 190, 0, 7, "ecdsa-with-SHA384" }, /* 189 */ - { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 190 */ - {0x2B, 421, 1, 0, "" }, /* 191 */ - { 0x06, 332, 1, 1, "dod" }, /* 192 */ - { 0x01, 0, 1, 2, "internet" }, /* 193 */ - { 0x04, 283, 1, 3, "private" }, /* 194 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 195 */ - { 0x82, 233, 1, 5, "" }, /* 196 */ - { 0x37, 209, 1, 6, "Microsoft" }, /* 197 */ - { 0x0A, 202, 1, 7, "" }, /* 198 */ - { 0x03, 0, 1, 8, "" }, /* 199 */ - { 0x03, 201, 0, 9, "msSGC" }, /* 200 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 201 */ - { 0x14, 206, 1, 7, "msEnrollmentInfrastructure" }, /* 202 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 203 */ - { 0x02, 205, 0, 9, "msSmartcardLogon" }, /* 204 */ - { 0x03, 0, 0, 9, "msUPN" }, /* 205 */ - { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 206 */ - { 0x07, 208, 0, 8, "msCertTemplate" }, /* 207 */ - { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 208 */ - { 0xA0, 0, 1, 6, "" }, /* 209 */ - { 0x2A, 0, 1, 7, "ITA" }, /* 210 */ - { 0x01, 212, 0, 8, "strongSwan" }, /* 211 */ - { 0x02, 213, 0, 8, "cps" }, /* 212 */ - { 0x03, 214, 0, 8, "e-voting" }, /* 213 */ - { 0x05, 0, 1, 8, "BLISS" }, /* 214 */ - { 0x01, 217, 1, 9, "keyType" }, /* 215 */ - { 0x01, 0, 0, 10, "blissPublicKey" }, /* 216 */ - { 0x02, 226, 1, 9, "parameters" }, /* 217 */ - { 0x01, 219, 0, 10, "BLISS-I" }, /* 218 */ - { 0x02, 220, 0, 10, "BLISS-II" }, /* 219 */ - { 0x03, 221, 0, 10, "BLISS-III" }, /* 220 */ - { 0x04, 222, 0, 10, "BLISS-IV" }, /* 221 */ - { 0x05, 223, 0, 10, "BLISS-B-I" }, /* 222 */ - { 0x06, 224, 0, 10, "BLISS-B-II" }, /* 223 */ - { 0x07, 225, 0, 10, "BLISS-B-III" }, /* 224 */ - { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 225 */ - { 0x03, 0, 1, 9, "blissSigType" }, /* 226 */ - { 0x01, 228, 0, 10, "BLISS-with-SHA2-512" }, /* 227 */ - { 0x02, 229, 0, 10, "BLISS-with-SHA2-384" }, /* 228 */ - { 0x03, 230, 0, 10, "BLISS-with-SHA2-256" }, /* 229 */ - { 0x04, 231, 0, 10, "BLISS-with-SHA3-512" }, /* 230 */ - { 0x05, 232, 0, 10, "BLISS-with-SHA3-384" }, /* 231 */ - { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 232 */ - { 0x89, 240, 1, 5, "" }, /* 233 */ - { 0x31, 0, 1, 6, "" }, /* 234 */ - { 0x01, 0, 1, 7, "" }, /* 235 */ - { 0x01, 0, 1, 8, "" }, /* 236 */ - { 0x02, 0, 1, 9, "" }, /* 237 */ - { 0x02, 0, 1, 10, "" }, /* 238 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 239 */ - { 0x97, 244, 1, 5, "" }, /* 240 */ - { 0x55, 0, 1, 6, "" }, /* 241 */ - { 0x01, 0, 1, 7, "" }, /* 242 */ - { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 243 */ - { 0xC1, 0, 1, 5, "" }, /* 244 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 245 */ - { 0x01, 0, 1, 7, "eess" }, /* 246 */ - { 0x01, 0, 1, 8, "eess1" }, /* 247 */ - { 0x01, 252, 1, 9, "eess1-algs" }, /* 248 */ - { 0x01, 250, 0, 10, "ntru-EESS1v1-SVES" }, /* 249 */ - { 0x02, 251, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 250 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 251 */ - { 0x02, 282, 1, 9, "eess1-params" }, /* 252 */ - { 0x01, 254, 0, 10, "ees251ep1" }, /* 253 */ - { 0x02, 255, 0, 10, "ees347ep1" }, /* 254 */ - { 0x03, 256, 0, 10, "ees503ep1" }, /* 255 */ - { 0x07, 257, 0, 10, "ees251sp2" }, /* 256 */ - { 0x0C, 258, 0, 10, "ees251ep4" }, /* 257 */ - { 0x0D, 259, 0, 10, "ees251ep5" }, /* 258 */ - { 0x0E, 260, 0, 10, "ees251sp3" }, /* 259 */ - { 0x0F, 261, 0, 10, "ees251sp4" }, /* 260 */ - { 0x10, 262, 0, 10, "ees251sp5" }, /* 261 */ - { 0x11, 263, 0, 10, "ees251sp6" }, /* 262 */ - { 0x12, 264, 0, 10, "ees251sp7" }, /* 263 */ - { 0x13, 265, 0, 10, "ees251sp8" }, /* 264 */ - { 0x14, 266, 0, 10, "ees251sp9" }, /* 265 */ - { 0x22, 267, 0, 10, "ees401ep1" }, /* 266 */ - { 0x23, 268, 0, 10, "ees449ep1" }, /* 267 */ - { 0x24, 269, 0, 10, "ees677ep1" }, /* 268 */ - { 0x25, 270, 0, 10, "ees1087ep2" }, /* 269 */ - { 0x26, 271, 0, 10, "ees541ep1" }, /* 270 */ - { 0x27, 272, 0, 10, "ees613ep1" }, /* 271 */ - { 0x28, 273, 0, 10, "ees887ep1" }, /* 272 */ - { 0x29, 274, 0, 10, "ees1171ep1" }, /* 273 */ - { 0x2A, 275, 0, 10, "ees659ep1" }, /* 274 */ - { 0x2B, 276, 0, 10, "ees761ep1" }, /* 275 */ - { 0x2C, 277, 0, 10, "ees1087ep1" }, /* 276 */ - { 0x2D, 278, 0, 10, "ees1499ep1" }, /* 277 */ - { 0x2E, 279, 0, 10, "ees401ep2" }, /* 278 */ - { 0x2F, 280, 0, 10, "ees439ep1" }, /* 279 */ - { 0x30, 281, 0, 10, "ees593ep1" }, /* 280 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 281 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 282 */ - { 0x05, 0, 1, 3, "security" }, /* 283 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 284 */ - { 0x07, 329, 1, 5, "id-pkix" }, /* 285 */ - { 0x01, 290, 1, 6, "id-pe" }, /* 286 */ - { 0x01, 288, 0, 7, "authorityInfoAccess" }, /* 287 */ - { 0x03, 289, 0, 7, "qcStatements" }, /* 288 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 289 */ - { 0x02, 293, 1, 6, "id-qt" }, /* 290 */ - { 0x01, 292, 0, 7, "cps" }, /* 291 */ - { 0x02, 0, 0, 7, "unotice" }, /* 292 */ - { 0x03, 303, 1, 6, "id-kp" }, /* 293 */ - { 0x01, 295, 0, 7, "serverAuth" }, /* 294 */ - { 0x02, 296, 0, 7, "clientAuth" }, /* 295 */ - { 0x03, 297, 0, 7, "codeSigning" }, /* 296 */ - { 0x04, 298, 0, 7, "emailProtection" }, /* 297 */ - { 0x05, 299, 0, 7, "ipsecEndSystem" }, /* 298 */ - { 0x06, 300, 0, 7, "ipsecTunnel" }, /* 299 */ - { 0x07, 301, 0, 7, "ipsecUser" }, /* 300 */ - { 0x08, 302, 0, 7, "timeStamping" }, /* 301 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 302 */ - { 0x08, 311, 1, 6, "id-otherNames" }, /* 303 */ - { 0x01, 305, 0, 7, "personalData" }, /* 304 */ - { 0x02, 306, 0, 7, "userGroup" }, /* 305 */ - { 0x03, 307, 0, 7, "id-on-permanentIdentifier" }, /* 306 */ - { 0x04, 308, 0, 7, "id-on-hardwareModuleName" }, /* 307 */ - { 0x05, 309, 0, 7, "xmppAddr" }, /* 308 */ - { 0x06, 310, 0, 7, "id-on-SIM" }, /* 309 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 310 */ - { 0x0A, 316, 1, 6, "id-aca" }, /* 311 */ - { 0x01, 313, 0, 7, "authenticationInfo" }, /* 312 */ - { 0x02, 314, 0, 7, "accessIdentity" }, /* 313 */ - { 0x03, 315, 0, 7, "chargingIdentity" }, /* 314 */ - { 0x04, 0, 0, 7, "group" }, /* 315 */ - { 0x0B, 317, 0, 6, "subjectInfoAccess" }, /* 316 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 317 */ - { 0x01, 326, 1, 7, "ocsp" }, /* 318 */ - { 0x01, 320, 0, 8, "basic" }, /* 319 */ - { 0x02, 321, 0, 8, "nonce" }, /* 320 */ - { 0x03, 322, 0, 8, "crl" }, /* 321 */ - { 0x04, 323, 0, 8, "response" }, /* 322 */ - { 0x05, 324, 0, 8, "noCheck" }, /* 323 */ - { 0x06, 325, 0, 8, "archiveCutoff" }, /* 324 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 325 */ - { 0x02, 327, 0, 7, "caIssuers" }, /* 326 */ - { 0x03, 328, 0, 7, "timeStamping" }, /* 327 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 328 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 329 */ - { 0x02, 0, 1, 6, "certificate" }, /* 330 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 331 */ - { 0x0E, 338, 1, 1, "oiw" }, /* 332 */ - { 0x03, 0, 1, 2, "secsig" }, /* 333 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 334 */ - { 0x07, 336, 0, 4, "des-cbc" }, /* 335 */ - { 0x1A, 337, 0, 4, "sha-1" }, /* 336 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 337 */ - { 0x24, 384, 1, 1, "TeleTrusT" }, /* 338 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 339 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 340 */ - { 0x01, 345, 1, 4, "rsaSignature" }, /* 341 */ - { 0x02, 343, 0, 5, "rsaSigWithripemd160" }, /* 342 */ - { 0x03, 344, 0, 5, "rsaSigWithripemd128" }, /* 343 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 344 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 345 */ - { 0x01, 347, 0, 5, "ecSignWithsha1" }, /* 346 */ - { 0x02, 348, 0, 5, "ecSignWithripemd160" }, /* 347 */ - { 0x03, 349, 0, 5, "ecSignWithmd2" }, /* 348 */ - { 0x04, 350, 0, 5, "ecSignWithmd5" }, /* 349 */ - { 0x05, 367, 1, 5, "ttt-ecg" }, /* 350 */ - { 0x01, 355, 1, 6, "fieldType" }, /* 351 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 352 */ - { 0x01, 0, 1, 8, "basisType" }, /* 353 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 354 */ - { 0x02, 357, 1, 6, "keyType" }, /* 355 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 356 */ - { 0x03, 358, 0, 6, "curve" }, /* 357 */ - { 0x04, 365, 1, 6, "signatures" }, /* 358 */ - { 0x01, 360, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 359 */ - { 0x02, 361, 0, 7, "ecgdsa-with-SHA1" }, /* 360 */ - { 0x03, 362, 0, 7, "ecgdsa-with-SHA224" }, /* 361 */ - { 0x04, 363, 0, 7, "ecgdsa-with-SHA256" }, /* 362 */ - { 0x05, 364, 0, 7, "ecgdsa-with-SHA384" }, /* 363 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 364 */ - { 0x05, 0, 1, 6, "module" }, /* 365 */ - { 0x01, 0, 0, 7, "1" }, /* 366 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 367 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 368 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 369 */ - { 0x01, 371, 0, 8, "brainpoolP160r1" }, /* 370 */ - { 0x02, 372, 0, 8, "brainpoolP160t1" }, /* 371 */ - { 0x03, 373, 0, 8, "brainpoolP192r1" }, /* 372 */ - { 0x04, 374, 0, 8, "brainpoolP192t1" }, /* 373 */ - { 0x05, 375, 0, 8, "brainpoolP224r1" }, /* 374 */ - { 0x06, 376, 0, 8, "brainpoolP224t1" }, /* 375 */ - { 0x07, 377, 0, 8, "brainpoolP256r1" }, /* 376 */ - { 0x08, 378, 0, 8, "brainpoolP256t1" }, /* 377 */ - { 0x09, 379, 0, 8, "brainpoolP320r1" }, /* 378 */ - { 0x0A, 380, 0, 8, "brainpoolP320t1" }, /* 379 */ - { 0x0B, 381, 0, 8, "brainpoolP384r1" }, /* 380 */ - { 0x0C, 382, 0, 8, "brainpoolP384t1" }, /* 381 */ - { 0x0D, 383, 0, 8, "brainpoolP512r1" }, /* 382 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 383 */ - { 0x65, 387, 1, 1, "Thawte" }, /* 384 */ - { 0x70, 386, 0, 2, "id-Ed25519" }, /* 385 */ - { 0x71, 0, 0, 2, "id-Ed448" }, /* 386 */ - { 0x81, 0, 1, 1, "" }, /* 387 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 388 */ - { 0x00, 0, 1, 3, "curve" }, /* 389 */ - { 0x01, 391, 0, 4, "sect163k1" }, /* 390 */ - { 0x02, 392, 0, 4, "sect163r1" }, /* 391 */ - { 0x03, 393, 0, 4, "sect239k1" }, /* 392 */ - { 0x04, 394, 0, 4, "sect113r1" }, /* 393 */ - { 0x05, 395, 0, 4, "sect113r2" }, /* 394 */ - { 0x06, 396, 0, 4, "secp112r1" }, /* 395 */ - { 0x07, 397, 0, 4, "secp112r2" }, /* 396 */ - { 0x08, 398, 0, 4, "secp160r1" }, /* 397 */ - { 0x09, 399, 0, 4, "secp160k1" }, /* 398 */ - { 0x0A, 400, 0, 4, "secp256k1" }, /* 399 */ - { 0x0F, 401, 0, 4, "sect163r2" }, /* 400 */ - { 0x10, 402, 0, 4, "sect283k1" }, /* 401 */ - { 0x11, 403, 0, 4, "sect283r1" }, /* 402 */ - { 0x16, 404, 0, 4, "sect131r1" }, /* 403 */ - { 0x17, 405, 0, 4, "sect131r2" }, /* 404 */ - { 0x18, 406, 0, 4, "sect193r1" }, /* 405 */ - { 0x19, 407, 0, 4, "sect193r2" }, /* 406 */ - { 0x1A, 408, 0, 4, "sect233k1" }, /* 407 */ - { 0x1B, 409, 0, 4, "sect233r1" }, /* 408 */ - { 0x1C, 410, 0, 4, "secp128r1" }, /* 409 */ - { 0x1D, 411, 0, 4, "secp128r2" }, /* 410 */ - { 0x1E, 412, 0, 4, "secp160r2" }, /* 411 */ - { 0x1F, 413, 0, 4, "secp192k1" }, /* 412 */ - { 0x20, 414, 0, 4, "secp224k1" }, /* 413 */ - { 0x21, 415, 0, 4, "secp224r1" }, /* 414 */ - { 0x22, 416, 0, 4, "secp384r1" }, /* 415 */ - { 0x23, 417, 0, 4, "secp521r1" }, /* 416 */ - { 0x24, 418, 0, 4, "sect409k1" }, /* 417 */ - { 0x25, 419, 0, 4, "sect409r1" }, /* 418 */ - { 0x26, 420, 0, 4, "sect571k1" }, /* 419 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 420 */ - {0x60, 484, 1, 0, "" }, /* 421 */ - { 0x86, 0, 1, 1, "" }, /* 422 */ - { 0x48, 0, 1, 2, "" }, /* 423 */ - { 0x01, 0, 1, 3, "organization" }, /* 424 */ - { 0x65, 460, 1, 4, "gov" }, /* 425 */ - { 0x03, 0, 1, 5, "csor" }, /* 426 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 427 */ - { 0x01, 438, 1, 7, "aes" }, /* 428 */ - { 0x02, 430, 0, 8, "id-aes128-CBC" }, /* 429 */ - { 0x06, 431, 0, 8, "id-aes128-GCM" }, /* 430 */ - { 0x07, 432, 0, 8, "id-aes128-CCM" }, /* 431 */ - { 0x16, 433, 0, 8, "id-aes192-CBC" }, /* 432 */ - { 0x1A, 434, 0, 8, "id-aes192-GCM" }, /* 433 */ - { 0x1B, 435, 0, 8, "id-aes192-CCM" }, /* 434 */ - { 0x2A, 436, 0, 8, "id-aes256-CBC" }, /* 435 */ - { 0x2E, 437, 0, 8, "id-aes256-GCM" }, /* 436 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 437 */ - { 0x02, 451, 1, 7, "hashAlgs" }, /* 438 */ - { 0x01, 440, 0, 8, "id-sha256" }, /* 439 */ - { 0x02, 441, 0, 8, "id-sha384" }, /* 440 */ - { 0x03, 442, 0, 8, "id-sha512" }, /* 441 */ - { 0x04, 443, 0, 8, "id-sha224" }, /* 442 */ - { 0x05, 444, 0, 8, "id-sha512-224" }, /* 443 */ - { 0x06, 445, 0, 8, "id-sha512-256" }, /* 444 */ - { 0x07, 446, 0, 8, "id-sha3-224" }, /* 445 */ - { 0x08, 447, 0, 8, "id-sha3-256" }, /* 446 */ - { 0x09, 448, 0, 8, "id-sha3-384" }, /* 447 */ - { 0x0A, 449, 0, 8, "id-sha3-512" }, /* 448 */ - { 0x0B, 450, 0, 8, "id-shake128" }, /* 449 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 450 */ - { 0x03, 0, 1, 7, "sigAlgs" }, /* 451 */ - { 0x09, 453, 0, 8, "id-ecdsa-with-sha3-224" }, /* 452 */ - { 0x0A, 454, 0, 8, "id-ecdsa-with-sha3-256" }, /* 453 */ - { 0x0B, 455, 0, 8, "id-ecdsa-with-sha3-384" }, /* 454 */ - { 0x0C, 456, 0, 8, "id-ecdsa-with-sha3-512" }, /* 455 */ - { 0x0D, 457, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 456 */ - { 0x0E, 458, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 457 */ - { 0x0F, 459, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 458 */ - { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 459 */ - { 0x86, 0, 1, 4, "" }, /* 460 */ - { 0xf8, 0, 1, 5, "" }, /* 461 */ - { 0x42, 474, 1, 6, "netscape" }, /* 462 */ - { 0x01, 469, 1, 7, "" }, /* 463 */ - { 0x01, 465, 0, 8, "nsCertType" }, /* 464 */ - { 0x03, 466, 0, 8, "nsRevocationUrl" }, /* 465 */ - { 0x04, 467, 0, 8, "nsCaRevocationUrl" }, /* 466 */ - { 0x08, 468, 0, 8, "nsCaPolicyUrl" }, /* 467 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 468 */ - { 0x03, 472, 1, 7, "directory" }, /* 469 */ - { 0x01, 0, 1, 8, "" }, /* 470 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 471 */ - { 0x04, 0, 1, 7, "policy" }, /* 472 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 473 */ - { 0x45, 0, 1, 6, "verisign" }, /* 474 */ - { 0x01, 0, 1, 7, "pki" }, /* 475 */ - { 0x09, 0, 1, 8, "attributes" }, /* 476 */ - { 0x02, 478, 0, 9, "messageType" }, /* 477 */ - { 0x03, 479, 0, 9, "pkiStatus" }, /* 478 */ - { 0x04, 480, 0, 9, "failInfo" }, /* 479 */ - { 0x05, 481, 0, 9, "senderNonce" }, /* 480 */ - { 0x06, 482, 0, 9, "recipientNonce" }, /* 481 */ - { 0x07, 483, 0, 9, "transID" }, /* 482 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 483 */ - {0x67, 0, 1, 0, "" }, /* 484 */ - { 0x81, 0, 1, 1, "" }, /* 485 */ - { 0x05, 0, 1, 2, "" }, /* 486 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 487 */ - { 0x01, 489, 0, 4, "tcg-at-tpmManufacturer" }, /* 488 */ - { 0x02, 490, 0, 4, "tcg-at-tpmModel" }, /* 489 */ - { 0x03, 491, 0, 4, "tcg-at-tpmVersion" }, /* 490 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 491 */ + { 0x09, 27, 0, 2, "STREET" }, /* 26 */ + { 0x0A, 28, 0, 2, "O" }, /* 27 */ + { 0x0B, 29, 0, 2, "OU" }, /* 28 */ + { 0x0C, 30, 0, 2, "T" }, /* 29 */ + { 0x0D, 31, 0, 2, "D" }, /* 30 */ + { 0x10, 32, 0, 2, "postalAddress" }, /* 31 */ + { 0x11, 33, 0, 2, "postalCode" }, /* 32 */ + { 0x24, 34, 0, 2, "userCertificate" }, /* 33 */ + { 0x29, 35, 0, 2, "N" }, /* 34 */ + { 0x2A, 36, 0, 2, "G" }, /* 35 */ + { 0x2B, 37, 0, 2, "I" }, /* 36 */ + { 0x2D, 38, 0, 2, "ID" }, /* 37 */ + { 0x2E, 39, 0, 2, "dnQualifier" }, /* 38 */ + { 0x36, 40, 0, 2, "dmdName" }, /* 39 */ + { 0x41, 41, 0, 2, "pseudonym" }, /* 40 */ + { 0x48, 0, 0, 2, "role" }, /* 41 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 42 */ + { 0x09, 44, 0, 2, "subjectDirectoryAttrs" }, /* 43 */ + { 0x0E, 45, 0, 2, "subjectKeyIdentifier" }, /* 44 */ + { 0x0F, 46, 0, 2, "keyUsage" }, /* 45 */ + { 0x10, 47, 0, 2, "privateKeyUsagePeriod" }, /* 46 */ + { 0x11, 48, 0, 2, "subjectAltName" }, /* 47 */ + { 0x12, 49, 0, 2, "issuerAltName" }, /* 48 */ + { 0x13, 50, 0, 2, "basicConstraints" }, /* 49 */ + { 0x14, 51, 0, 2, "crlNumber" }, /* 50 */ + { 0x15, 52, 0, 2, "reasonCode" }, /* 51 */ + { 0x17, 53, 0, 2, "holdInstructionCode" }, /* 52 */ + { 0x18, 54, 0, 2, "invalidityDate" }, /* 53 */ + { 0x1B, 55, 0, 2, "deltaCrlIndicator" }, /* 54 */ + { 0x1C, 56, 0, 2, "issuingDistributionPoint" }, /* 55 */ + { 0x1D, 57, 0, 2, "certificateIssuer" }, /* 56 */ + { 0x1E, 58, 0, 2, "nameConstraints" }, /* 57 */ + { 0x1F, 59, 0, 2, "crlDistributionPoints" }, /* 58 */ + { 0x20, 61, 1, 2, "certificatePolicies" }, /* 59 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 60 */ + { 0x21, 62, 0, 2, "policyMappings" }, /* 61 */ + { 0x23, 63, 0, 2, "authorityKeyIdentifier" }, /* 62 */ + { 0x24, 64, 0, 2, "policyConstraints" }, /* 63 */ + { 0x25, 66, 1, 2, "extendedKeyUsage" }, /* 64 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 65 */ + { 0x2E, 67, 0, 2, "freshestCRL" }, /* 66 */ + { 0x36, 68, 0, 2, "inhibitAnyPolicy" }, /* 67 */ + { 0x37, 69, 0, 2, "targetInformation" }, /* 68 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 69 */ + {0x2A, 195, 1, 0, "" }, /* 70 */ + { 0x83, 83, 1, 1, "" }, /* 71 */ + { 0x08, 0, 1, 2, "jp" }, /* 72 */ + { 0x8C, 0, 1, 3, "" }, /* 73 */ + { 0x9A, 0, 1, 4, "" }, /* 74 */ + { 0x4B, 0, 1, 5, "" }, /* 75 */ + { 0x3D, 0, 1, 6, "" }, /* 76 */ + { 0x01, 0, 1, 7, "security" }, /* 77 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 78 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 79 */ + { 0x02, 81, 0, 10, "camellia128-cbc" }, /* 80 */ + { 0x03, 82, 0, 10, "camellia192-cbc" }, /* 81 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 82 */ + { 0x86, 0, 1, 1, "" }, /* 83 */ + { 0x48, 0, 1, 2, "us" }, /* 84 */ + { 0x86, 154, 1, 3, "" }, /* 85 */ + { 0xF6, 91, 1, 4, "" }, /* 86 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 87 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 88 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 89 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 90 */ + { 0xF7, 0, 1, 4, "" }, /* 91 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 92 */ + { 0x01, 149, 1, 6, "PKCS" }, /* 93 */ + { 0x01, 107, 1, 7, "PKCS-1" }, /* 94 */ + { 0x01, 96, 0, 8, "rsaEncryption" }, /* 95 */ + { 0x02, 97, 0, 8, "md2WithRSAEncryption" }, /* 96 */ + { 0x04, 98, 0, 8, "md5WithRSAEncryption" }, /* 97 */ + { 0x05, 99, 0, 8, "sha-1WithRSAEncryption" }, /* 98 */ + { 0x07, 100, 0, 8, "id-RSAES-OAEP" }, /* 99 */ + { 0x08, 101, 0, 8, "id-mgf1" }, /* 100 */ + { 0x09, 102, 0, 8, "id-pSpecified" }, /* 101 */ + { 0x0A, 103, 0, 8, "RSASSA-PSS" }, /* 102 */ + { 0x0B, 104, 0, 8, "sha256WithRSAEncryption" }, /* 103 */ + { 0x0C, 105, 0, 8, "sha384WithRSAEncryption" }, /* 104 */ + { 0x0D, 106, 0, 8, "sha512WithRSAEncryption" }, /* 105 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 106 */ + { 0x05, 112, 1, 7, "PKCS-5" }, /* 107 */ + { 0x03, 109, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 108 */ + { 0x0A, 110, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 109 */ + { 0x0C, 111, 0, 8, "id-PBKDF2" }, /* 110 */ + { 0x0D, 0, 0, 8, "id-PBES2" }, /* 111 */ + { 0x07, 119, 1, 7, "PKCS-7" }, /* 112 */ + { 0x01, 114, 0, 8, "data" }, /* 113 */ + { 0x02, 115, 0, 8, "signedData" }, /* 114 */ + { 0x03, 116, 0, 8, "envelopedData" }, /* 115 */ + { 0x04, 117, 0, 8, "signedAndEnvelopedData" }, /* 116 */ + { 0x05, 118, 0, 8, "digestedData" }, /* 117 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 118 */ + { 0x09, 133, 1, 7, "PKCS-9" }, /* 119 */ + { 0x01, 121, 0, 8, "E" }, /* 120 */ + { 0x02, 122, 0, 8, "unstructuredName" }, /* 121 */ + { 0x03, 123, 0, 8, "contentType" }, /* 122 */ + { 0x04, 124, 0, 8, "messageDigest" }, /* 123 */ + { 0x05, 125, 0, 8, "signingTime" }, /* 124 */ + { 0x06, 126, 0, 8, "counterSignature" }, /* 125 */ + { 0x07, 127, 0, 8, "challengePassword" }, /* 126 */ + { 0x08, 128, 0, 8, "unstructuredAddress" }, /* 127 */ + { 0x0E, 129, 0, 8, "extensionRequest" }, /* 128 */ + { 0x0F, 130, 0, 8, "S/MIME Capabilities" }, /* 129 */ + { 0x16, 0, 1, 8, "certTypes" }, /* 130 */ + { 0x01, 132, 0, 9, "X.509" }, /* 131 */ + { 0x02, 0, 0, 9, "SDSI" }, /* 132 */ + { 0x0c, 0, 1, 7, "PKCS-12" }, /* 133 */ + { 0x01, 141, 1, 8, "pbeIds" }, /* 134 */ + { 0x01, 136, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 135 */ + { 0x02, 137, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 136 */ + { 0x03, 138, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC" }, /* 137 */ + { 0x04, 139, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC" }, /* 138 */ + { 0x05, 140, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 139 */ + { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 140 */ + { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 141 */ + { 0x01, 0, 1, 9, "bagIds" }, /* 142 */ + { 0x01, 144, 0, 10, "keyBag" }, /* 143 */ + { 0x02, 145, 0, 10, "pkcs8ShroudedKeyBag" }, /* 144 */ + { 0x03, 146, 0, 10, "certBag" }, /* 145 */ + { 0x04, 147, 0, 10, "crlBag" }, /* 146 */ + { 0x05, 148, 0, 10, "secretBag" }, /* 147 */ + { 0x06, 0, 0, 10, "safeContentsBag" }, /* 148 */ + { 0x02, 152, 1, 6, "digestAlgorithm" }, /* 149 */ + { 0x02, 151, 0, 7, "md2" }, /* 150 */ + { 0x05, 0, 0, 7, "md5" }, /* 151 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 152 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 153 */ + { 0xCE, 0, 1, 3, "" }, /* 154 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 155 */ + { 0x02, 158, 1, 5, "id-publicKeyType" }, /* 156 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 157 */ + { 0x03, 188, 1, 5, "ellipticCurve" }, /* 158 */ + { 0x00, 180, 1, 6, "c-TwoCurve" }, /* 159 */ + { 0x01, 161, 0, 7, "c2pnb163v1" }, /* 160 */ + { 0x02, 162, 0, 7, "c2pnb163v2" }, /* 161 */ + { 0x03, 163, 0, 7, "c2pnb163v3" }, /* 162 */ + { 0x04, 164, 0, 7, "c2pnb176w1" }, /* 163 */ + { 0x05, 165, 0, 7, "c2tnb191v1" }, /* 164 */ + { 0x06, 166, 0, 7, "c2tnb191v2" }, /* 165 */ + { 0x07, 167, 0, 7, "c2tnb191v3" }, /* 166 */ + { 0x08, 168, 0, 7, "c2onb191v4" }, /* 167 */ + { 0x09, 169, 0, 7, "c2onb191v5" }, /* 168 */ + { 0x0A, 170, 0, 7, "c2pnb208w1" }, /* 169 */ + { 0x0B, 171, 0, 7, "c2tnb239v1" }, /* 170 */ + { 0x0C, 172, 0, 7, "c2tnb239v2" }, /* 171 */ + { 0x0D, 173, 0, 7, "c2tnb239v3" }, /* 172 */ + { 0x0E, 174, 0, 7, "c2onb239v4" }, /* 173 */ + { 0x0F, 175, 0, 7, "c2onb239v5" }, /* 174 */ + { 0x10, 176, 0, 7, "c2pnb272w1" }, /* 175 */ + { 0x11, 177, 0, 7, "c2pnb304w1" }, /* 176 */ + { 0x12, 178, 0, 7, "c2tnb359v1" }, /* 177 */ + { 0x13, 179, 0, 7, "c2pnb368w1" }, /* 178 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 179 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 180 */ + { 0x01, 182, 0, 7, "prime192v1" }, /* 181 */ + { 0x02, 183, 0, 7, "prime192v2" }, /* 182 */ + { 0x03, 184, 0, 7, "prime192v3" }, /* 183 */ + { 0x04, 185, 0, 7, "prime239v1" }, /* 184 */ + { 0x05, 186, 0, 7, "prime239v2" }, /* 185 */ + { 0x06, 187, 0, 7, "prime239v3" }, /* 186 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 187 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 188 */ + { 0x01, 190, 0, 6, "ecdsa-with-SHA1" }, /* 189 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 190 */ + { 0x01, 192, 0, 7, "ecdsa-with-SHA224" }, /* 191 */ + { 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */ + { 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */ + {0x2B, 425, 1, 0, "" }, /* 195 */ + { 0x06, 336, 1, 1, "dod" }, /* 196 */ + { 0x01, 0, 1, 2, "internet" }, /* 197 */ + { 0x04, 287, 1, 3, "private" }, /* 198 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 199 */ + { 0x82, 237, 1, 5, "" }, /* 200 */ + { 0x37, 213, 1, 6, "Microsoft" }, /* 201 */ + { 0x0A, 206, 1, 7, "" }, /* 202 */ + { 0x03, 0, 1, 8, "" }, /* 203 */ + { 0x03, 205, 0, 9, "msSGC" }, /* 204 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 205 */ + { 0x14, 210, 1, 7, "msEnrollmentInfrastructure" }, /* 206 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 207 */ + { 0x02, 209, 0, 9, "msSmartcardLogon" }, /* 208 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 209 */ + { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 210 */ + { 0x07, 212, 0, 8, "msCertTemplate" }, /* 211 */ + { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 212 */ + { 0xA0, 0, 1, 6, "" }, /* 213 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 214 */ + { 0x01, 216, 0, 8, "strongSwan" }, /* 215 */ + { 0x02, 217, 0, 8, "cps" }, /* 216 */ + { 0x03, 218, 0, 8, "e-voting" }, /* 217 */ + { 0x05, 0, 1, 8, "BLISS" }, /* 218 */ + { 0x01, 221, 1, 9, "keyType" }, /* 219 */ + { 0x01, 0, 0, 10, "blissPublicKey" }, /* 220 */ + { 0x02, 230, 1, 9, "parameters" }, /* 221 */ + { 0x01, 223, 0, 10, "BLISS-I" }, /* 222 */ + { 0x02, 224, 0, 10, "BLISS-II" }, /* 223 */ + { 0x03, 225, 0, 10, "BLISS-III" }, /* 224 */ + { 0x04, 226, 0, 10, "BLISS-IV" }, /* 225 */ + { 0x05, 227, 0, 10, "BLISS-B-I" }, /* 226 */ + { 0x06, 228, 0, 10, "BLISS-B-II" }, /* 227 */ + { 0x07, 229, 0, 10, "BLISS-B-III" }, /* 228 */ + { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 229 */ + { 0x03, 0, 1, 9, "blissSigType" }, /* 230 */ + { 0x01, 232, 0, 10, "BLISS-with-SHA2-512" }, /* 231 */ + { 0x02, 233, 0, 10, "BLISS-with-SHA2-384" }, /* 232 */ + { 0x03, 234, 0, 10, "BLISS-with-SHA2-256" }, /* 233 */ + { 0x04, 235, 0, 10, "BLISS-with-SHA3-512" }, /* 234 */ + { 0x05, 236, 0, 10, "BLISS-with-SHA3-384" }, /* 235 */ + { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 236 */ + { 0x89, 244, 1, 5, "" }, /* 237 */ + { 0x31, 0, 1, 6, "" }, /* 238 */ + { 0x01, 0, 1, 7, "" }, /* 239 */ + { 0x01, 0, 1, 8, "" }, /* 240 */ + { 0x02, 0, 1, 9, "" }, /* 241 */ + { 0x02, 0, 1, 10, "" }, /* 242 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 243 */ + { 0x97, 248, 1, 5, "" }, /* 244 */ + { 0x55, 0, 1, 6, "" }, /* 245 */ + { 0x01, 0, 1, 7, "" }, /* 246 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 247 */ + { 0xC1, 0, 1, 5, "" }, /* 248 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 249 */ + { 0x01, 0, 1, 7, "eess" }, /* 250 */ + { 0x01, 0, 1, 8, "eess1" }, /* 251 */ + { 0x01, 256, 1, 9, "eess1-algs" }, /* 252 */ + { 0x01, 254, 0, 10, "ntru-EESS1v1-SVES" }, /* 253 */ + { 0x02, 255, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 254 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 255 */ + { 0x02, 286, 1, 9, "eess1-params" }, /* 256 */ + { 0x01, 258, 0, 10, "ees251ep1" }, /* 257 */ + { 0x02, 259, 0, 10, "ees347ep1" }, /* 258 */ + { 0x03, 260, 0, 10, "ees503ep1" }, /* 259 */ + { 0x07, 261, 0, 10, "ees251sp2" }, /* 260 */ + { 0x0C, 262, 0, 10, "ees251ep4" }, /* 261 */ + { 0x0D, 263, 0, 10, "ees251ep5" }, /* 262 */ + { 0x0E, 264, 0, 10, "ees251sp3" }, /* 263 */ + { 0x0F, 265, 0, 10, "ees251sp4" }, /* 264 */ + { 0x10, 266, 0, 10, "ees251sp5" }, /* 265 */ + { 0x11, 267, 0, 10, "ees251sp6" }, /* 266 */ + { 0x12, 268, 0, 10, "ees251sp7" }, /* 267 */ + { 0x13, 269, 0, 10, "ees251sp8" }, /* 268 */ + { 0x14, 270, 0, 10, "ees251sp9" }, /* 269 */ + { 0x22, 271, 0, 10, "ees401ep1" }, /* 270 */ + { 0x23, 272, 0, 10, "ees449ep1" }, /* 271 */ + { 0x24, 273, 0, 10, "ees677ep1" }, /* 272 */ + { 0x25, 274, 0, 10, "ees1087ep2" }, /* 273 */ + { 0x26, 275, 0, 10, "ees541ep1" }, /* 274 */ + { 0x27, 276, 0, 10, "ees613ep1" }, /* 275 */ + { 0x28, 277, 0, 10, "ees887ep1" }, /* 276 */ + { 0x29, 278, 0, 10, "ees1171ep1" }, /* 277 */ + { 0x2A, 279, 0, 10, "ees659ep1" }, /* 278 */ + { 0x2B, 280, 0, 10, "ees761ep1" }, /* 279 */ + { 0x2C, 281, 0, 10, "ees1087ep1" }, /* 280 */ + { 0x2D, 282, 0, 10, "ees1499ep1" }, /* 281 */ + { 0x2E, 283, 0, 10, "ees401ep2" }, /* 282 */ + { 0x2F, 284, 0, 10, "ees439ep1" }, /* 283 */ + { 0x30, 285, 0, 10, "ees593ep1" }, /* 284 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 285 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */ + { 0x05, 0, 1, 3, "security" }, /* 287 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 288 */ + { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */ + { 0x01, 294, 1, 6, "id-pe" }, /* 290 */ + { 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */ + { 0x03, 293, 0, 7, "qcStatements" }, /* 292 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */ + { 0x02, 297, 1, 6, "id-qt" }, /* 294 */ + { 0x01, 296, 0, 7, "cps" }, /* 295 */ + { 0x02, 0, 0, 7, "unotice" }, /* 296 */ + { 0x03, 307, 1, 6, "id-kp" }, /* 297 */ + { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */ + { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */ + { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */ + { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */ + { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */ + { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */ + { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */ + { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */ + { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */ + { 0x01, 309, 0, 7, "personalData" }, /* 308 */ + { 0x02, 310, 0, 7, "userGroup" }, /* 309 */ + { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */ + { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */ + { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */ + { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */ + { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */ + { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */ + { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */ + { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */ + { 0x04, 0, 0, 7, "group" }, /* 319 */ + { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 321 */ + { 0x01, 330, 1, 7, "ocsp" }, /* 322 */ + { 0x01, 324, 0, 8, "basic" }, /* 323 */ + { 0x02, 325, 0, 8, "nonce" }, /* 324 */ + { 0x03, 326, 0, 8, "crl" }, /* 325 */ + { 0x04, 327, 0, 8, "response" }, /* 326 */ + { 0x05, 328, 0, 8, "noCheck" }, /* 327 */ + { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */ + { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */ + { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 332 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 333 */ + { 0x02, 0, 1, 6, "certificate" }, /* 334 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */ + { 0x0E, 342, 1, 1, "oiw" }, /* 336 */ + { 0x03, 0, 1, 2, "secsig" }, /* 337 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 338 */ + { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */ + { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */ + { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 343 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */ + { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */ + { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */ + { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 349 */ + { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */ + { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */ + { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */ + { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */ + { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */ + { 0x01, 359, 1, 6, "fieldType" }, /* 355 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */ + { 0x01, 0, 1, 8, "basisType" }, /* 357 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */ + { 0x02, 361, 1, 6, "keyType" }, /* 359 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */ + { 0x03, 362, 0, 6, "curve" }, /* 361 */ + { 0x04, 369, 1, 6, "signatures" }, /* 362 */ + { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */ + { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */ + { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */ + { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */ + { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */ + { 0x05, 0, 1, 6, "module" }, /* 369 */ + { 0x01, 0, 0, 7, "1" }, /* 370 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 373 */ + { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */ + { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */ + { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */ + { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */ + { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */ + { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */ + { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */ + { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */ + { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */ + { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */ + { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */ + { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */ + { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */ + { 0x65, 391, 1, 1, "Thawte" }, /* 388 */ + { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */ + { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */ + { 0x81, 0, 1, 1, "" }, /* 391 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 392 */ + { 0x00, 0, 1, 3, "curve" }, /* 393 */ + { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */ + { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */ + { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */ + { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */ + { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */ + { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */ + { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */ + { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */ + { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */ + { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */ + { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */ + { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */ + { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */ + { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */ + { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */ + { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */ + { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */ + { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */ + { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */ + { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */ + { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */ + { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */ + { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */ + { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */ + { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */ + { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */ + { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */ + { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */ + { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */ + { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */ + {0x60, 488, 1, 0, "" }, /* 425 */ + { 0x86, 0, 1, 1, "" }, /* 426 */ + { 0x48, 0, 1, 2, "" }, /* 427 */ + { 0x01, 0, 1, 3, "organization" }, /* 428 */ + { 0x65, 464, 1, 4, "gov" }, /* 429 */ + { 0x03, 0, 1, 5, "csor" }, /* 430 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */ + { 0x01, 442, 1, 7, "aes" }, /* 432 */ + { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */ + { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */ + { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */ + { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */ + { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */ + { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */ + { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */ + { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */ + { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */ + { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */ + { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */ + { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */ + { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */ + { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */ + { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */ + { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */ + { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */ + { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */ + { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */ + { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */ + { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */ + { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */ + { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */ + { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */ + { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */ + { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */ + { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */ + { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */ + { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */ + { 0x86, 0, 1, 4, "" }, /* 464 */ + { 0xf8, 0, 1, 5, "" }, /* 465 */ + { 0x42, 478, 1, 6, "netscape" }, /* 466 */ + { 0x01, 473, 1, 7, "" }, /* 467 */ + { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */ + { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */ + { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */ + { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */ + { 0x03, 476, 1, 7, "directory" }, /* 473 */ + { 0x01, 0, 1, 8, "" }, /* 474 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */ + { 0x04, 0, 1, 7, "policy" }, /* 476 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */ + { 0x45, 0, 1, 6, "verisign" }, /* 478 */ + { 0x01, 0, 1, 7, "pki" }, /* 479 */ + { 0x09, 0, 1, 8, "attributes" }, /* 480 */ + { 0x02, 482, 0, 9, "messageType" }, /* 481 */ + { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */ + { 0x04, 484, 0, 9, "failInfo" }, /* 483 */ + { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */ + { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */ + { 0x07, 487, 0, 9, "transID" }, /* 486 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */ + {0x67, 0, 1, 0, "" }, /* 488 */ + { 0x81, 0, 1, 1, "" }, /* 489 */ + { 0x05, 0, 1, 2, "" }, /* 490 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */ + { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */ + { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */ + { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index f316c0c78..0e9b7ea24 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -30,242 +30,247 @@ extern const oid_t oid_names[]; #define OID_COUNTRY 23 #define OID_LOCALITY 24 #define OID_STATE_OR_PROVINCE 25 -#define OID_ORGANIZATION 26 -#define OID_ORGANIZATION_UNIT 27 -#define OID_TITLE 28 -#define OID_DESCRIPTION 29 -#define OID_USER_CERTIFICATE 30 -#define OID_NAME 31 -#define OID_GIVEN_NAME 32 -#define OID_INITIALS 33 -#define OID_UNIQUE_IDENTIFIER 34 -#define OID_DN_QUALIFIER 35 -#define OID_DMD_NAME 36 -#define OID_PSEUDONYM 37 -#define OID_ROLE 38 -#define OID_SUBJECT_KEY_ID 41 -#define OID_KEY_USAGE 42 -#define OID_SUBJECT_ALT_NAME 44 -#define OID_BASIC_CONSTRAINTS 46 -#define OID_CRL_NUMBER 47 -#define OID_CRL_REASON_CODE 48 -#define OID_DELTA_CRL_INDICATOR 51 -#define OID_ISSUING_DIST_POINT 52 -#define OID_NAME_CONSTRAINTS 54 -#define OID_CRL_DISTRIBUTION_POINTS 55 -#define OID_CERTIFICATE_POLICIES 56 -#define OID_ANY_POLICY 57 -#define OID_POLICY_MAPPINGS 58 -#define OID_AUTHORITY_KEY_ID 59 -#define OID_POLICY_CONSTRAINTS 60 -#define OID_EXTENDED_KEY_USAGE 61 -#define OID_FRESHEST_CRL 63 -#define OID_INHIBIT_ANY_POLICY 64 -#define OID_TARGET_INFORMATION 65 -#define OID_NO_REV_AVAIL 66 -#define OID_CAMELLIA128_CBC 77 -#define OID_CAMELLIA192_CBC 78 -#define OID_CAMELLIA256_CBC 79 -#define OID_RSA_ENCRYPTION 92 -#define OID_MD2_WITH_RSA 93 -#define OID_MD5_WITH_RSA 94 -#define OID_SHA1_WITH_RSA 95 -#define OID_RSAES_OAEP 96 -#define OID_SHA256_WITH_RSA 99 -#define OID_SHA384_WITH_RSA 100 -#define OID_SHA512_WITH_RSA 101 -#define OID_SHA224_WITH_RSA 102 -#define OID_PBE_MD5_DES_CBC 104 -#define OID_PBE_SHA1_DES_CBC 105 -#define OID_PBKDF2 106 -#define OID_PBES2 107 -#define OID_PKCS7_DATA 109 -#define OID_PKCS7_SIGNED_DATA 110 -#define OID_PKCS7_ENVELOPED_DATA 111 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 112 -#define OID_PKCS7_DIGESTED_DATA 113 -#define OID_PKCS7_ENCRYPTED_DATA 114 -#define OID_EMAIL_ADDRESS 116 -#define OID_UNSTRUCTURED_NAME 117 -#define OID_PKCS9_CONTENT_TYPE 118 -#define OID_PKCS9_MESSAGE_DIGEST 119 -#define OID_PKCS9_SIGNING_TIME 120 -#define OID_CHALLENGE_PASSWORD 122 -#define OID_UNSTRUCTURED_ADDRESS 123 -#define OID_EXTENSION_REQUEST 124 -#define OID_X509_CERTIFICATE 127 -#define OID_PBE_SHA1_RC4_128 131 -#define OID_PBE_SHA1_RC4_40 132 -#define OID_PBE_SHA1_3DES_CBC 133 -#define OID_PBE_SHA1_3DES_2KEY_CBC 134 -#define OID_PBE_SHA1_RC2_CBC_128 135 -#define OID_PBE_SHA1_RC2_CBC_40 136 -#define OID_P12_KEY_BAG 139 -#define OID_P12_PKCS8_KEY_BAG 140 -#define OID_P12_CERT_BAG 141 -#define OID_P12_CRL_BAG 142 -#define OID_MD2 146 -#define OID_MD5 147 -#define OID_3DES_EDE_CBC 149 -#define OID_EC_PUBLICKEY 153 -#define OID_C2PNB163V1 156 -#define OID_C2PNB163V2 157 -#define OID_C2PNB163V3 158 -#define OID_C2PNB176W1 159 -#define OID_C2PNB191V1 160 -#define OID_C2PNB191V2 161 -#define OID_C2PNB191V3 162 -#define OID_C2PNB191V4 163 -#define OID_C2PNB191V5 164 -#define OID_C2PNB208W1 165 -#define OID_C2PNB239V1 166 -#define OID_C2PNB239V2 167 -#define OID_C2PNB239V3 168 -#define OID_C2PNB239V4 169 -#define OID_C2PNB239V5 170 -#define OID_C2PNB272W1 171 -#define OID_C2PNB304W1 172 -#define OID_C2PNB359V1 173 -#define OID_C2PNB368W1 174 -#define OID_C2PNB431R1 175 -#define OID_PRIME192V1 177 -#define OID_PRIME192V2 178 -#define OID_PRIME192V3 179 -#define OID_PRIME239V1 180 -#define OID_PRIME239V2 181 -#define OID_PRIME239V3 182 -#define OID_PRIME256V1 183 -#define OID_ECDSA_WITH_SHA1 185 -#define OID_ECDSA_WITH_SHA224 187 -#define OID_ECDSA_WITH_SHA256 188 -#define OID_ECDSA_WITH_SHA384 189 -#define OID_ECDSA_WITH_SHA512 190 -#define OID_MS_SMARTCARD_LOGON 204 -#define OID_USER_PRINCIPAL_NAME 205 -#define OID_STRONGSWAN 211 -#define OID_BLISS_PUBLICKEY 216 -#define OID_BLISS_I 218 -#define OID_BLISS_II 219 -#define OID_BLISS_III 220 -#define OID_BLISS_IV 221 -#define OID_BLISS_B_I 222 -#define OID_BLISS_B_II 223 -#define OID_BLISS_B_III 224 -#define OID_BLISS_B_IV 225 -#define OID_BLISS_WITH_SHA2_512 227 -#define OID_BLISS_WITH_SHA2_384 228 -#define OID_BLISS_WITH_SHA2_256 229 -#define OID_BLISS_WITH_SHA3_512 230 -#define OID_BLISS_WITH_SHA3_384 231 -#define OID_BLISS_WITH_SHA3_256 232 -#define OID_TCGID 239 -#define OID_BLOWFISH_CBC 243 -#define OID_AUTHORITY_INFO_ACCESS 287 -#define OID_IP_ADDR_BLOCKS 289 -#define OID_POLICY_QUALIFIER_CPS 291 -#define OID_POLICY_QUALIFIER_UNOTICE 292 -#define OID_SERVER_AUTH 294 -#define OID_CLIENT_AUTH 295 -#define OID_OCSP_SIGNING 302 -#define OID_XMPP_ADDR 308 -#define OID_AUTHENTICATION_INFO 312 -#define OID_ACCESS_IDENTITY 313 -#define OID_CHARGING_IDENTITY 314 -#define OID_GROUP 315 -#define OID_OCSP 318 -#define OID_BASIC 319 -#define OID_NONCE 320 -#define OID_CRL 321 -#define OID_RESPONSE 322 -#define OID_NO_CHECK 323 -#define OID_ARCHIVE_CUTOFF 324 -#define OID_SERVICE_LOCATOR 325 -#define OID_CA_ISSUERS 326 -#define OID_IKE_INTERMEDIATE 331 -#define OID_DES_CBC 335 -#define OID_SHA1 336 -#define OID_SHA1_WITH_RSA_OIW 337 -#define OID_ECGDSA_PUBKEY 356 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 359 -#define OID_ECGDSA_SIG_WITH_SHA1 360 -#define OID_ECGDSA_SIG_WITH_SHA224 361 -#define OID_ECGDSA_SIG_WITH_SHA256 362 -#define OID_ECGDSA_SIG_WITH_SHA384 363 -#define OID_ECGDSA_SIG_WITH_SHA512 364 -#define OID_ED25519 385 -#define OID_ED448 386 -#define OID_SECT163K1 390 -#define OID_SECT163R1 391 -#define OID_SECT239K1 392 -#define OID_SECT113R1 393 -#define OID_SECT113R2 394 -#define OID_SECT112R1 395 -#define OID_SECT112R2 396 -#define OID_SECT160R1 397 -#define OID_SECT160K1 398 -#define OID_SECT256K1 399 -#define OID_SECT163R2 400 -#define OID_SECT283K1 401 -#define OID_SECT283R1 402 -#define OID_SECT131R1 403 -#define OID_SECT131R2 404 -#define OID_SECT193R1 405 -#define OID_SECT193R2 406 -#define OID_SECT233K1 407 -#define OID_SECT233R1 408 -#define OID_SECT128R1 409 -#define OID_SECT128R2 410 -#define OID_SECT160R2 411 -#define OID_SECT192K1 412 -#define OID_SECT224K1 413 -#define OID_SECT224R1 414 -#define OID_SECT384R1 415 -#define OID_SECT521R1 416 -#define OID_SECT409K1 417 -#define OID_SECT409R1 418 -#define OID_SECT571K1 419 -#define OID_SECT571R1 420 -#define OID_AES128_CBC 429 -#define OID_AES128_GCM 430 -#define OID_AES128_CCM 431 -#define OID_AES192_CBC 432 -#define OID_AES192_GCM 433 -#define OID_AES192_CCM 434 -#define OID_AES256_CBC 435 -#define OID_AES256_GCM 436 -#define OID_AES256_CCM 437 -#define OID_SHA256 439 -#define OID_SHA384 440 -#define OID_SHA512 441 -#define OID_SHA224 442 -#define OID_SHA3_224 445 -#define OID_SHA3_256 446 -#define OID_SHA3_384 447 -#define OID_SHA3_512 448 -#define OID_ECDSA_WITH_SHA3_224 452 -#define OID_ECDSA_WITH_SHA3_256 453 -#define OID_ECDSA_WITH_SHA3_384 454 -#define OID_ECDSA_WITH_SHA3_512 455 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 456 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 457 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 458 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 459 -#define OID_NS_REVOCATION_URL 465 -#define OID_NS_CA_REVOCATION_URL 466 -#define OID_NS_CA_POLICY_URL 467 -#define OID_NS_COMMENT 468 -#define OID_EMPLOYEE_NUMBER 471 -#define OID_PKI_MESSAGE_TYPE 477 -#define OID_PKI_STATUS 478 -#define OID_PKI_FAIL_INFO 479 -#define OID_PKI_SENDER_NONCE 480 -#define OID_PKI_RECIPIENT_NONCE 481 -#define OID_PKI_TRANS_ID 482 -#define OID_TPM_MANUFACTURER 488 -#define OID_TPM_MODEL 489 -#define OID_TPM_VERSION 490 -#define OID_TPM_ID_LABEL 491 +#define OID_STREET_ADDRESS 26 +#define OID_ORGANIZATION 27 +#define OID_ORGANIZATION_UNIT 28 +#define OID_TITLE 29 +#define OID_DESCRIPTION 30 +#define OID_POSTAL_ADDRESS 31 +#define OID_POSTAL_CODE 32 +#define OID_USER_CERTIFICATE 33 +#define OID_NAME 34 +#define OID_GIVEN_NAME 35 +#define OID_INITIALS 36 +#define OID_UNIQUE_IDENTIFIER 37 +#define OID_DN_QUALIFIER 38 +#define OID_DMD_NAME 39 +#define OID_PSEUDONYM 40 +#define OID_ROLE 41 +#define OID_SUBJECT_KEY_ID 44 +#define OID_KEY_USAGE 45 +#define OID_SUBJECT_ALT_NAME 47 +#define OID_BASIC_CONSTRAINTS 49 +#define OID_CRL_NUMBER 50 +#define OID_CRL_REASON_CODE 51 +#define OID_DELTA_CRL_INDICATOR 54 +#define OID_ISSUING_DIST_POINT 55 +#define OID_NAME_CONSTRAINTS 57 +#define OID_CRL_DISTRIBUTION_POINTS 58 +#define OID_CERTIFICATE_POLICIES 59 +#define OID_ANY_POLICY 60 +#define OID_POLICY_MAPPINGS 61 +#define OID_AUTHORITY_KEY_ID 62 +#define OID_POLICY_CONSTRAINTS 63 +#define OID_EXTENDED_KEY_USAGE 64 +#define OID_FRESHEST_CRL 66 +#define OID_INHIBIT_ANY_POLICY 67 +#define OID_TARGET_INFORMATION 68 +#define OID_NO_REV_AVAIL 69 +#define OID_CAMELLIA128_CBC 80 +#define OID_CAMELLIA192_CBC 81 +#define OID_CAMELLIA256_CBC 82 +#define OID_RSA_ENCRYPTION 95 +#define OID_MD2_WITH_RSA 96 +#define OID_MD5_WITH_RSA 97 +#define OID_SHA1_WITH_RSA 98 +#define OID_RSAES_OAEP 99 +#define OID_MGF1 100 +#define OID_RSASSA_PSS 102 +#define OID_SHA256_WITH_RSA 103 +#define OID_SHA384_WITH_RSA 104 +#define OID_SHA512_WITH_RSA 105 +#define OID_SHA224_WITH_RSA 106 +#define OID_PBE_MD5_DES_CBC 108 +#define OID_PBE_SHA1_DES_CBC 109 +#define OID_PBKDF2 110 +#define OID_PBES2 111 +#define OID_PKCS7_DATA 113 +#define OID_PKCS7_SIGNED_DATA 114 +#define OID_PKCS7_ENVELOPED_DATA 115 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 116 +#define OID_PKCS7_DIGESTED_DATA 117 +#define OID_PKCS7_ENCRYPTED_DATA 118 +#define OID_EMAIL_ADDRESS 120 +#define OID_UNSTRUCTURED_NAME 121 +#define OID_PKCS9_CONTENT_TYPE 122 +#define OID_PKCS9_MESSAGE_DIGEST 123 +#define OID_PKCS9_SIGNING_TIME 124 +#define OID_CHALLENGE_PASSWORD 126 +#define OID_UNSTRUCTURED_ADDRESS 127 +#define OID_EXTENSION_REQUEST 128 +#define OID_X509_CERTIFICATE 131 +#define OID_PBE_SHA1_RC4_128 135 +#define OID_PBE_SHA1_RC4_40 136 +#define OID_PBE_SHA1_3DES_CBC 137 +#define OID_PBE_SHA1_3DES_2KEY_CBC 138 +#define OID_PBE_SHA1_RC2_CBC_128 139 +#define OID_PBE_SHA1_RC2_CBC_40 140 +#define OID_P12_KEY_BAG 143 +#define OID_P12_PKCS8_KEY_BAG 144 +#define OID_P12_CERT_BAG 145 +#define OID_P12_CRL_BAG 146 +#define OID_MD2 150 +#define OID_MD5 151 +#define OID_3DES_EDE_CBC 153 +#define OID_EC_PUBLICKEY 157 +#define OID_C2PNB163V1 160 +#define OID_C2PNB163V2 161 +#define OID_C2PNB163V3 162 +#define OID_C2PNB176W1 163 +#define OID_C2PNB191V1 164 +#define OID_C2PNB191V2 165 +#define OID_C2PNB191V3 166 +#define OID_C2PNB191V4 167 +#define OID_C2PNB191V5 168 +#define OID_C2PNB208W1 169 +#define OID_C2PNB239V1 170 +#define OID_C2PNB239V2 171 +#define OID_C2PNB239V3 172 +#define OID_C2PNB239V4 173 +#define OID_C2PNB239V5 174 +#define OID_C2PNB272W1 175 +#define OID_C2PNB304W1 176 +#define OID_C2PNB359V1 177 +#define OID_C2PNB368W1 178 +#define OID_C2PNB431R1 179 +#define OID_PRIME192V1 181 +#define OID_PRIME192V2 182 +#define OID_PRIME192V3 183 +#define OID_PRIME239V1 184 +#define OID_PRIME239V2 185 +#define OID_PRIME239V3 186 +#define OID_PRIME256V1 187 +#define OID_ECDSA_WITH_SHA1 189 +#define OID_ECDSA_WITH_SHA224 191 +#define OID_ECDSA_WITH_SHA256 192 +#define OID_ECDSA_WITH_SHA384 193 +#define OID_ECDSA_WITH_SHA512 194 +#define OID_MS_SMARTCARD_LOGON 208 +#define OID_USER_PRINCIPAL_NAME 209 +#define OID_STRONGSWAN 215 +#define OID_BLISS_PUBLICKEY 220 +#define OID_BLISS_I 222 +#define OID_BLISS_II 223 +#define OID_BLISS_III 224 +#define OID_BLISS_IV 225 +#define OID_BLISS_B_I 226 +#define OID_BLISS_B_II 227 +#define OID_BLISS_B_III 228 +#define OID_BLISS_B_IV 229 +#define OID_BLISS_WITH_SHA2_512 231 +#define OID_BLISS_WITH_SHA2_384 232 +#define OID_BLISS_WITH_SHA2_256 233 +#define OID_BLISS_WITH_SHA3_512 234 +#define OID_BLISS_WITH_SHA3_384 235 +#define OID_BLISS_WITH_SHA3_256 236 +#define OID_TCGID 243 +#define OID_BLOWFISH_CBC 247 +#define OID_AUTHORITY_INFO_ACCESS 291 +#define OID_IP_ADDR_BLOCKS 293 +#define OID_POLICY_QUALIFIER_CPS 295 +#define OID_POLICY_QUALIFIER_UNOTICE 296 +#define OID_SERVER_AUTH 298 +#define OID_CLIENT_AUTH 299 +#define OID_OCSP_SIGNING 306 +#define OID_XMPP_ADDR 312 +#define OID_AUTHENTICATION_INFO 316 +#define OID_ACCESS_IDENTITY 317 +#define OID_CHARGING_IDENTITY 318 +#define OID_GROUP 319 +#define OID_OCSP 322 +#define OID_BASIC 323 +#define OID_NONCE 324 +#define OID_CRL 325 +#define OID_RESPONSE 326 +#define OID_NO_CHECK 327 +#define OID_ARCHIVE_CUTOFF 328 +#define OID_SERVICE_LOCATOR 329 +#define OID_CA_ISSUERS 330 +#define OID_IKE_INTERMEDIATE 335 +#define OID_DES_CBC 339 +#define OID_SHA1 340 +#define OID_SHA1_WITH_RSA_OIW 341 +#define OID_ECGDSA_PUBKEY 360 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 363 +#define OID_ECGDSA_SIG_WITH_SHA1 364 +#define OID_ECGDSA_SIG_WITH_SHA224 365 +#define OID_ECGDSA_SIG_WITH_SHA256 366 +#define OID_ECGDSA_SIG_WITH_SHA384 367 +#define OID_ECGDSA_SIG_WITH_SHA512 368 +#define OID_ED25519 389 +#define OID_ED448 390 +#define OID_SECT163K1 394 +#define OID_SECT163R1 395 +#define OID_SECT239K1 396 +#define OID_SECT113R1 397 +#define OID_SECT113R2 398 +#define OID_SECT112R1 399 +#define OID_SECT112R2 400 +#define OID_SECT160R1 401 +#define OID_SECT160K1 402 +#define OID_SECT256K1 403 +#define OID_SECT163R2 404 +#define OID_SECT283K1 405 +#define OID_SECT283R1 406 +#define OID_SECT131R1 407 +#define OID_SECT131R2 408 +#define OID_SECT193R1 409 +#define OID_SECT193R2 410 +#define OID_SECT233K1 411 +#define OID_SECT233R1 412 +#define OID_SECT128R1 413 +#define OID_SECT128R2 414 +#define OID_SECT160R2 415 +#define OID_SECT192K1 416 +#define OID_SECT224K1 417 +#define OID_SECT224R1 418 +#define OID_SECT384R1 419 +#define OID_SECT521R1 420 +#define OID_SECT409K1 421 +#define OID_SECT409R1 422 +#define OID_SECT571K1 423 +#define OID_SECT571R1 424 +#define OID_AES128_CBC 433 +#define OID_AES128_GCM 434 +#define OID_AES128_CCM 435 +#define OID_AES192_CBC 436 +#define OID_AES192_GCM 437 +#define OID_AES192_CCM 438 +#define OID_AES256_CBC 439 +#define OID_AES256_GCM 440 +#define OID_AES256_CCM 441 +#define OID_SHA256 443 +#define OID_SHA384 444 +#define OID_SHA512 445 +#define OID_SHA224 446 +#define OID_SHA3_224 449 +#define OID_SHA3_256 450 +#define OID_SHA3_384 451 +#define OID_SHA3_512 452 +#define OID_ECDSA_WITH_SHA3_224 456 +#define OID_ECDSA_WITH_SHA3_256 457 +#define OID_ECDSA_WITH_SHA3_384 458 +#define OID_ECDSA_WITH_SHA3_512 459 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463 +#define OID_NS_REVOCATION_URL 469 +#define OID_NS_CA_REVOCATION_URL 470 +#define OID_NS_CA_POLICY_URL 471 +#define OID_NS_COMMENT 472 +#define OID_EMPLOYEE_NUMBER 475 +#define OID_PKI_MESSAGE_TYPE 481 +#define OID_PKI_STATUS 482 +#define OID_PKI_FAIL_INFO 483 +#define OID_PKI_SENDER_NONCE 484 +#define OID_PKI_RECIPIENT_NONCE 485 +#define OID_PKI_TRANS_ID 486 +#define OID_TPM_MANUFACTURER 492 +#define OID_TPM_MODEL 493 +#define OID_TPM_VERSION 494 +#define OID_TPM_ID_LABEL 495 -#define OID_MAX 492 +#define OID_MAX 496 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index a0c2aada3..9583baa5e 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -24,10 +24,13 @@ 0x06 "C" OID_COUNTRY 0x07 "L" OID_LOCALITY 0x08 "ST" OID_STATE_OR_PROVINCE + 0x09 "STREET" OID_STREET_ADDRESS 0x0A "O" OID_ORGANIZATION 0x0B "OU" OID_ORGANIZATION_UNIT 0x0C "T" OID_TITLE 0x0D "D" OID_DESCRIPTION + 0x10 "postalAddress" OID_POSTAL_ADDRESS + 0x11 "postalCode" OID_POSTAL_CODE 0x24 "userCertificate" OID_USER_CERTIFICATE 0x29 "N" OID_NAME 0x2A "G" OID_GIVEN_NAME @@ -95,8 +98,9 @@ 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA 0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA 0x07 "id-RSAES-OAEP" OID_RSAES_OAEP - 0x08 "id-mgf1" + 0x08 "id-mgf1" OID_MGF1 0x09 "id-pSpecified" + 0x0A "RSASSA-PSS" OID_RSASSA_PSS 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 07da596e4..d1be7b401 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -216,8 +216,6 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -232,6 +230,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -267,8 +267,6 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { return e1->value == e2->value; @@ -301,6 +299,11 @@ static bool entry_equals(entry_t *e1, entry_t *e2) return id1->equals(id1, id2); } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + return signature_params_equal(e1->value, e2->value); + } case AUTH_RULE_CERT_POLICY: case AUTH_RULE_XAUTH_BACKEND: case AUTH_HELPER_IM_HASH_URL: @@ -351,6 +354,12 @@ static void destroy_entry_value(entry_t *entry) free(entry->value); break; } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + signature_params_destroy(entry->value); + break; + } case AUTH_RULE_IDENTITY_LOOSE: case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: @@ -360,8 +369,6 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_RULE_MAX: break; @@ -394,8 +401,6 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -410,6 +415,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -472,9 +479,6 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: return (void*)0; - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: - return (void*)HASH_UNKNOWN; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: return (void*)VALIDATION_FAILED; @@ -491,6 +495,8 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -526,18 +532,46 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) } } +/** + * Create a constraint for RSA/PSS signatures + */ +static signature_params_t *create_rsa_pss_constraint(char *token) +{ + signature_params_t *params = NULL; + hash_algorithm_t hash; + + if (enum_from_name(hash_algorithm_short_names, token, &hash)) + { + rsa_pss_params_t pss = { + .hash = hash, + .mgf1_hash = hash, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, + }; + signature_params_t pss_params = { + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss, + }; + params = signature_params_clone(&pss_params); + } + return params; +} + METHOD(auth_cfg_t, add_pubkey_constraints, void, private_auth_cfg_t *this, char* constraints, bool ike) { enumerator_t *enumerator; - bool is_ike = FALSE, ike_added = FALSE; + bool ike_added = FALSE, rsa_pss; key_type_t expected_type = -1; auth_rule_t expected_strength = AUTH_RULE_MAX; + signature_params_t *params; int strength; - char *token; + char *token, *key_token = NULL; auth_rule_t type; void *value; + rsa_pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); + enumerator = enumerator_create_token(constraints, "-", ""); while (enumerator->enumerate(enumerator, &token)) { @@ -583,67 +617,117 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, } if (streq(token, "rsa") || streq(token, "ike:rsa")) { + key_token = token; + expected_type = KEY_RSA; + expected_strength = AUTH_RULE_RSA_STRENGTH; + continue; + } + if (streq(token, "rsa/pss") || streq(token, "ike:rsa/pss")) + { + key_token = token; expected_type = KEY_RSA; expected_strength = AUTH_RULE_RSA_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ecdsa") || streq(token, "ike:ecdsa")) { + key_token = token; expected_type = KEY_ECDSA; expected_strength = AUTH_RULE_ECDSA_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ed25519") || streq(token, "ike:ed25519")) { + key_token = token; expected_type = KEY_ED25519; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ed448") || streq(token, "ike:ed448")) { + key_token = token; expected_type = KEY_ED448; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "bliss") || streq(token, "ike:bliss")) { + key_token = token; expected_type = KEY_BLISS; expected_strength = AUTH_RULE_BLISS_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "pubkey") || streq(token, "ike:pubkey")) { + key_token = token; expected_type = KEY_ANY; - is_ike = strpfx(token, "ike:"); continue; } - if (is_ike && !ike) + if (key_token && strpfx(key_token, "ike:") && !ike) { continue; } - for (i = 0; i < countof(schemes); i++) + if (key_token && streq(key_token + strlen(key_token) - 3, "pss")) + { + params = create_rsa_pss_constraint(token); + if (params) + { + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } + found = TRUE; + } + } + else { - if (streq(schemes[i].name, token)) + if (rsa_pss) { - if (expected_type == KEY_ANY || expected_type == schemes[i].key) + if (expected_type == KEY_ANY || + expected_type == KEY_RSA) { - if (is_ike) + params = create_rsa_pss_constraint(token); + if (params) { - add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, - (uintptr_t)schemes[i].scheme); - ike_added = TRUE; + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } + found = TRUE; } - else + } + } + for (i = 0; i < countof(schemes); i++) + { + if (streq(schemes[i].name, token)) + { + if (expected_type == KEY_ANY || + expected_type == schemes[i].key) { - add(this, AUTH_RULE_SIGNATURE_SCHEME, - (uintptr_t)schemes[i].scheme); + INIT(params, + .scheme = schemes[i].scheme, + ); + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } } + found = TRUE; } - found = TRUE; } } if (!found) @@ -666,7 +750,7 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, if (type == AUTH_RULE_SIGNATURE_SCHEME) { add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, - (uintptr_t)value); + signature_params_clone(value)); } } enumerator->destroy(enumerator); @@ -681,20 +765,20 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, { enumerator_t *e1, *e2; auth_rule_t t1, t2; - signature_scheme_t scheme; - void *value; + signature_params_t *params, *constraint; bool success = TRUE; e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &scheme)) + while (e2->enumerate(e2, &t2, ¶ms)) { if (t2 == type) { success = FALSE; e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) + while (e1->enumerate(e1, &t1, &constraint)) { - if (t1 == type && (uintptr_t)value == scheme) + if (t1 == type && + signature_params_comply(constraint, params)) { success = TRUE; break; @@ -707,7 +791,7 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, { DBG1(DBG_CFG, "%s signature scheme %N not acceptable", AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE", - signature_scheme_names, (int)scheme); + signature_scheme_names, params->scheme); } break; } @@ -725,7 +809,7 @@ METHOD(auth_cfg_t, complies, bool, bool ca_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; certificate_t *require_ca = NULL, *require_cert = NULL; - signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN; + signature_params_t *ike_scheme = NULL, *scheme = NULL; u_int strength = 0; auth_rule_t t1, t2; char *key_type; @@ -928,12 +1012,12 @@ METHOD(auth_cfg_t, complies, bool, } case AUTH_RULE_IKE_SIGNATURE_SCHEME: { - ike_scheme = (uintptr_t)value; + ike_scheme = value; break; } case AUTH_RULE_SIGNATURE_SCHEME: { - scheme = (uintptr_t)value; + scheme = value; break; } case AUTH_RULE_CERT_POLICY: @@ -983,12 +1067,12 @@ METHOD(auth_cfg_t, complies, bool, /* Check if we have a matching constraint (or none at all) for used * signature schemes. */ - if (success && scheme != SIGN_UNKNOWN) + if (success && scheme) { success = complies_scheme(this, constraints, AUTH_RULE_SIGNATURE_SCHEME, log_error); } - if (success && ike_scheme != SIGN_UNKNOWN) + if (success && ike_scheme) { success = complies_scheme(this, constraints, AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error); @@ -1114,8 +1198,6 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { add(this, type, (uintptr_t)value); @@ -1132,6 +1214,12 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + add(this, type, signature_params_clone(value)); + break; + } case AUTH_RULE_XAUTH_BACKEND: case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: @@ -1286,11 +1374,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: clone->add(clone, type, (uintptr_t)value); break; + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + clone->add(clone, type, signature_params_clone(value)); + break; + } case AUTH_RULE_MAX: break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 7191dc1bc..2eb448546 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -106,9 +106,9 @@ enum auth_rule_t { AUTH_RULE_ECDSA_STRENGTH, /** required BLISS public key strength, u_int in bits */ AUTH_RULE_BLISS_STRENGTH, - /** required signature scheme, signature_scheme_t */ + /** required signature scheme, signature_params_t* */ AUTH_RULE_SIGNATURE_SCHEME, - /** required signature scheme for IKE authentication, signature_scheme_t */ + /** required signature scheme for IKE authentication, signature_params_t* */ AUTH_RULE_IKE_SIGNATURE_SCHEME, /** certificatePolicy constraint, numerical OID as char* */ AUTH_RULE_CERT_POLICY, diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index baa17c47d..0239ee17e 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -37,6 +37,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_NOT_BEFORE_TIME", "BUILD_NOT_AFTER_TIME", "BUILD_SERIAL", + "BUILD_SIGNATURE_SCHEME", "BUILD_DIGEST_ALG", "BUILD_ENCRYPTION_ALG", "BUILD_AC_GROUP_STRINGS", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 1c6f5001b..7928ef487 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -56,7 +56,7 @@ enum builder_part_t { BUILD_BLOB_PEM, /** OpenPGP key blob, chunk_t */ BUILD_BLOB_PGP, - /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */ + /** DNS public key blob (RFC 4034, RSA specific RFC 3110), chunk_t */ BUILD_BLOB_DNSKEY, /** SSH public key blob (RFC 4253), chunk_t */ BUILD_BLOB_SSHKEY, @@ -84,6 +84,8 @@ enum builder_part_t { BUILD_NOT_AFTER_TIME, /** a serial number in binary form, chunk_t */ BUILD_SERIAL, + /** signature scheme and parameters for signature, signature_params_t* */ + BUILD_SIGNATURE_SCHEME, /** digest algorithm to be used for signature, hash_algorithm_t */ BUILD_DIGEST_ALG, /** encryption algorithm to use, encryption_algorithm_t */ diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index d59126bd5..6dc5c7694 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -25,9 +25,9 @@ typedef struct certificate_t certificate_t; typedef enum certificate_type_t certificate_type_t; typedef enum cert_validation_t cert_validation_t; -#include <library.h> #include <utils/identification.h> #include <credentials/keys/public_key.h> +#include <credentials/keys/signature_params.h> #include <credentials/cred_encoding.h> /** @@ -139,11 +139,12 @@ struct certificate_t { * Check if this certificate is issued and signed by a specific issuer. * * @param issuer issuer's certificate - * @param scheme receives signature scheme used during verification + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if certificate issued by issuer and trusted */ bool (*issued_by)(certificate_t *this, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Get the public key associated to this certificate. diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c index 5eefa0bb4..d39ba1997 100644 --- a/src/libstrongswan/credentials/certificates/x509.c +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -25,3 +25,12 @@ ENUM_NEXT(x509_flag_names, X509_ANY, X509_ANY, X509_OCSP_SIGNER, "ANY"); ENUM_END(x509_flag_names, X509_ANY); +/* + * Described in header + */ +void x509_cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 601c034ef..2c640e2da 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -210,8 +210,11 @@ struct x509_t { * @return enumerator over x509_policy_mapping */ enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); - - }; +/** + * Destroy an x509_cdp_t instance. + */ +void x509_cdp_destroy(x509_cdp_t *this); + #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c index 9e7815d04..8cc6a6c63 100644 --- a/src/libstrongswan/credentials/containers/pkcs12.c +++ b/src/libstrongswan/credentials/containers/pkcs12.c @@ -15,6 +15,7 @@ #include "pkcs12.h" +#include <library.h> #include <utils/debug.h> /** diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h index 0b6536430..1129357ba 100644 --- a/src/libstrongswan/credentials/cred_encoding.h +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -25,7 +25,7 @@ typedef struct cred_encoding_t cred_encoding_t; typedef enum cred_encoding_type_t cred_encoding_type_t; typedef enum cred_encoding_part_t cred_encoding_part_t; -#include <library.h> +#include <utils/chunk.h> /** * Credential encoder function implementing encoding/fingerprinting. diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 9be7407ef..21b23f543 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -488,7 +488,7 @@ METHOD(credential_manager_t, remove_local_set, void, METHOD(credential_manager_t, issued_by, bool, private_credential_manager_t *this, certificate_t *subject, - certificate_t *issuer, signature_scheme_t *scheme) + certificate_t *issuer, signature_params_t **scheme) { if (this->cache) { @@ -661,7 +661,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, */ static certificate_t *get_issuer_cert(private_credential_manager_t *this, certificate_t *subject, bool trusted, - signature_scheme_t *scheme) + signature_params_t **scheme) { enumerator_t *enumerator; certificate_t *issuer = NULL, *candidate; @@ -723,7 +723,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, { certificate_t *current, *issuer; auth_cfg_t *auth; - signature_scheme_t scheme; + signature_params_t *scheme; int pathlen; auth = auth_cfg_create(); diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 022ca566c..d99f29b85 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -241,12 +241,13 @@ struct credential_manager_t { * * @param subject subject certificate to check * @param issuer issuer certificate that potentially has signed subject - * @param scheme receives used signature scheme, if given + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if issuer signed subject */ bool (*issued_by)(credential_manager_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Register a credential set to the manager. diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index b9f7dad55..d7cfdd74d 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -42,11 +43,12 @@ struct private_key_t { * Create a signature over a chunk of data. * * @param scheme signature scheme to use + * @param params optional parameters required by the specified scheme * @param data chunk of data to sign * @param signature where to allocate created signature * @return TRUE if signature created */ - bool (*sign)(private_key_t *this, signature_scheme_t scheme, + bool (*sign)(private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature); /** * Decrypt a chunk of data. diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index 87f7e6664..89fa9b348 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2014-2016 Andreas Steffen + * Copyright (C) 2007 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,6 +18,7 @@ #include <asn1/oid.h> #include "public_key.h" +#include "signature_params.h" ENUM(key_type_names, KEY_ANY, KEY_BLISS, "ANY", @@ -42,6 +43,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512, "RSA_EMSA_PKCS1_SHA3_256", "RSA_EMSA_PKCS1_SHA3_384", "RSA_EMSA_PKCS1_SHA3_512", + "RSA_EMSA_PSS", "ECDSA_WITH_SHA1_DER", "ECDSA_WITH_SHA256_DER", "ECDSA_WITH_SHA384_DER", @@ -146,6 +148,8 @@ signature_scheme_t signature_scheme_from_oid(int oid) return SIGN_RSA_EMSA_PKCS1_SHA3_384; case OID_RSASSA_PKCS1V15_WITH_SHA3_512: return SIGN_RSA_EMSA_PKCS1_SHA3_512; + case OID_RSASSA_PSS: + return SIGN_RSA_EMSA_PSS; case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: return SIGN_ECDSA_WITH_SHA1_DER; @@ -210,6 +214,8 @@ int signature_scheme_to_oid(signature_scheme_t scheme) return OID_RSASSA_PKCS1V15_WITH_SHA3_384; case SIGN_RSA_EMSA_PKCS1_SHA3_512: return OID_RSASSA_PKCS1V15_WITH_SHA3_384; + case SIGN_RSA_EMSA_PSS: + return OID_RSASSA_PSS; case SIGN_ECDSA_WITH_SHA1_DER: return OID_ECDSA_WITH_SHA1; case SIGN_ECDSA_WITH_SHA256_DER: @@ -239,26 +245,42 @@ int signature_scheme_to_oid(signature_scheme_t scheme) } /** + * Parameters for RSA/PSS signature schemes + */ +#define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \ + .hash = HASH_SHA##bits, \ + .mgf1_hash = HASH_SHA##bits, \ + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, \ +} + +PSS_PARAMS(256); +PSS_PARAMS(384); +PSS_PARAMS(512); + +/** * Map for signature schemes to the key type and maximum key size allowed. * We only cover schemes with hash algorithms supported by IKEv2 signature * authentication. */ static struct { - signature_scheme_t scheme; key_type_t type; int max_keysize; + signature_params_t params; } scheme_map[] = { - { SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 }, - { SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 }, - { SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 }, - { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 }, - { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 }, - { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 }, - { SIGN_ED25519, KEY_ED25519, 0 }, - { SIGN_ED448, KEY_ED448, 0 }, - { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 }, - { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 }, - { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 } + { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, }}, + { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, }}, + { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, }}, + { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }}, + { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 }}, + { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 }}, + { KEY_ECDSA, 256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER }}, + { KEY_ECDSA, 384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER }}, + { KEY_ECDSA, 0, { .scheme = SIGN_ECDSA_WITH_SHA512_DER }}, + { KEY_ED25519, 0, { .scheme = SIGN_ED25519 }}, + { KEY_ED448, 0, { .scheme = SIGN_ED448 }}, + { KEY_BLISS, 128, { .scheme = SIGN_BLISS_WITH_SHA2_256 }}, + { KEY_BLISS, 192, { .scheme = SIGN_BLISS_WITH_SHA2_384 }}, + { KEY_BLISS, 0, { .scheme = SIGN_BLISS_WITH_SHA2_512 }}, }; /** @@ -274,9 +296,9 @@ typedef struct { METHOD(enumerator_t, signature_schemes_enumerate, bool, private_enumerator_t *this, va_list args) { - signature_scheme_t *scheme; + signature_params_t **params; - VA_ARGS_VGET(args, scheme); + VA_ARGS_VGET(args, params); while (++this->index < countof(scheme_map)) { @@ -284,7 +306,7 @@ METHOD(enumerator_t, signature_schemes_enumerate, bool, (this->size <= scheme_map[this->index].max_keysize || !scheme_map[this->index].max_keysize)) { - *scheme = scheme_map[this->index].scheme; + *params = &scheme_map[this->index].params; return TRUE; } } @@ -332,6 +354,7 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_SHA3_256: case SIGN_RSA_EMSA_PKCS1_SHA3_384: case SIGN_RSA_EMSA_PKCS1_SHA3_512: + case SIGN_RSA_EMSA_PSS: return KEY_RSA; case SIGN_ECDSA_WITH_SHA1_DER: case SIGN_ECDSA_WITH_SHA256_DER: diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index 06c1aa488..877ed20a2 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -1,7 +1,7 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2014-2017 Andreas Steffen + * Copyright (C) 2007 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ typedef enum key_type_t key_type_t; typedef enum signature_scheme_t signature_scheme_t; typedef enum encryption_scheme_t encryption_scheme_t; -#include <library.h> #include <utils/identification.h> #include <credentials/cred_encoding.h> @@ -89,6 +88,8 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_SHA3_384, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_512 */ SIGN_RSA_EMSA_PKCS1_SHA3_512, + /** EMSA-PSS signature as in PKCS#1 using RSA */ + SIGN_RSA_EMSA_PSS, /** ECDSA with SHA-1 using DER encoding as in RFC 3279 */ SIGN_ECDSA_WITH_SHA1_DER, /** ECDSA with SHA-256 using DER encoding as in RFC 3279 */ @@ -168,12 +169,13 @@ struct public_key_t { /** * Verifies a signature against a chunk of data. * - * @param scheme signature scheme to use for verification, may be default + * @param scheme signature scheme to use for verification + * @param params optional parameters required by the specified scheme * @param data data to check signature against * @param signature signature to check * @return TRUE if signature matches */ - bool (*verify)(public_key_t *this, signature_scheme_t scheme, + bool (*verify)(public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature); /** @@ -279,11 +281,11 @@ int signature_scheme_to_oid(signature_scheme_t scheme); /** * Enumerate signature schemes that are appropriate for a key of the given type - * and size|strength. + * and size|strength ordered by increasing strength. * * @param type type of the key * @param size size or strength of the key - * @return enumerator over signature_scheme_t (increasing strength) + * @return enumerator over signature_params_t* (by strength) */ enumerator_t *signature_schemes_for_key(key_type_t type, int size); diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c new file mode 100644 index 000000000..6b4d22e7b --- /dev/null +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "signature_params.h" + +#include <asn1/oid.h> +#include <asn1/asn1_parser.h> + +/** + * Determine the salt length in case it is not configured + */ +static ssize_t rsa_pss_salt_length(rsa_pss_params_t *pss) +{ + ssize_t salt_len = pss->salt_len; + + if (salt_len <= RSA_PSS_SALT_LEN_DEFAULT) + { + salt_len = hasher_hash_size(pss->hash); + if (!salt_len) + { + return -1; + } + } + return salt_len; +} + +/** + * Compare two signature schemes and their parameters + */ +static bool compare_params(signature_params_t *a, signature_params_t *b, + bool strict) +{ + if (!a && !b) + { + return TRUE; + } + if (!a || !b) + { + return FALSE; + } + if (a->scheme != b->scheme) + { + return FALSE; + } + if (!a->params && !b->params) + { + return TRUE; + } + if (a->params && b->params) + { + switch (a->scheme) + { + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss_a = a->params, *pss_b = b->params; + + return pss_a->hash == pss_b->hash && + pss_a->mgf1_hash == pss_b->mgf1_hash && + (!strict || + rsa_pss_salt_length(pss_a) == rsa_pss_salt_length(pss_b)); + } + default: + break; + } + } + return FALSE; +} + +/* + * Described in header + */ +bool signature_params_equal(signature_params_t *a, signature_params_t *b) +{ + return compare_params(a, b, TRUE); +} + +/* + * Described in header + */ +bool signature_params_comply(signature_params_t *c, signature_params_t *s) +{ /* the salt is variable, so it does not necessarily have to be the same */ + return compare_params(c, s, FALSE); +} + +/* + * Described in header + */ +signature_params_t *signature_params_clone(signature_params_t *this) +{ + signature_params_t *clone; + + if (!this) + { + return NULL; + } + + INIT(clone, + .scheme = this->scheme, + ); + if (this->params) + { + switch (this->scheme) + { + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss, *pss_clone; + + pss = this->params; + INIT(pss_clone, + .hash = pss->hash, + .mgf1_hash = pss->mgf1_hash, + .salt_len = pss->salt_len, + /* ignore salt as only used for unit tests */ + ); + clone->params = pss_clone; + break; + } + default: + break; + } + } + return clone; +} + +/* + * Described in header + */ +void signature_params_destroy(signature_params_t *this) +{ + if (this) + { + free(this->params); + free(this); + } +} + +/* + * Described in header + */ +void signature_params_clear(signature_params_t *this) +{ + if (this) + { + free(this->params); + this->params = NULL; + this->scheme = SIGN_UNKNOWN; + } +} + +/* + * Described in header + */ +bool signature_params_parse(chunk_t asn1, int level0, + signature_params_t *params) +{ + chunk_t parameters = chunk_empty; + int oid; + + oid = asn1_parse_algorithmIdentifier(asn1, level0, ¶meters); + params->scheme = signature_scheme_from_oid(oid); + switch (params->scheme) + { + case SIGN_UNKNOWN: + return FALSE; + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss = malloc_thing(rsa_pss_params_t); + + if (!rsa_pss_params_parse(parameters, level0+1, pss)) + { + DBG1(DBG_IKE, "failed parsing RSASSA-PSS parameters"); + free(pss); + return FALSE; + } + params->params = pss; + break; + } + default: + params->params = NULL; + break; + } + return TRUE; +} + +/* + * Described in header + */ +bool signature_params_build(signature_params_t *params, chunk_t *asn1) +{ + chunk_t parameters = chunk_empty; + int oid; + + oid = signature_scheme_to_oid(params->scheme); + if (oid == OID_UNKNOWN) + { + return FALSE; + } + if (params->scheme == SIGN_RSA_EMSA_PSS && + !rsa_pss_params_build(params->params, ¶meters)) + { + return FALSE; + } + if (parameters.len) + { + *asn1 = asn1_algorithmIdentifier_params(oid, parameters); + } + else + { + *asn1 = asn1_algorithmIdentifier(oid); + } + return TRUE; +} + +/** + * ASN.1 definition of RSASSA-PSS-params + */ +static const asn1Object_t RSASSAPSSParamsObjects[] = { + { 0, "RSASSA-PSS-params", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "DEFAULT SHA-1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 1 */ + { 2, "hashAlgorithm", ASN1_EOC, ASN1_RAW }, /* 2 */ + { 1, "DEFAULT MGF1SHA1", ASN1_CONTEXT_C_1, ASN1_DEF }, /* 3 */ + { 2, "maskGenAlgorithm",ASN1_EOC, ASN1_RAW }, /* 4 */ + { 1, "DEFAULT 20", ASN1_CONTEXT_C_2, ASN1_DEF }, /* 5 */ + { 2, "saltLength", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 1, "DEFAULT 1", ASN1_CONTEXT_C_3, ASN1_DEF }, /* 7 */ + { 2, "trailerField", ASN1_INTEGER, ASN1_BODY }, /* 8 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define RSASSA_PSS_PARAMS_HASH_ALG 2 +#define RSASSA_PSS_PARAMS_MGF_ALG 4 +#define RSASSA_PSS_PARAMS_SALT_LEN 6 +#define RSASSA_PSS_PARAMS_TRAILER 8 + +/* + * Described in header + */ +bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID, alg; + bool success = FALSE; + + params->hash = HASH_SHA1; + params->mgf1_hash = HASH_SHA1; + params->salt_len = HASH_SIZE_SHA1; + + parser = asn1_parser_create(RSASSAPSSParamsObjects, asn1); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + u_int level = parser->get_level(parser)+1; + + switch (objectID) + { + case RSASSA_PSS_PARAMS_HASH_ALG: + if (object.len) + { + alg = asn1_parse_algorithmIdentifier(object, level, NULL); + params->hash = hasher_algorithm_from_oid(alg); + if (params->hash == HASH_UNKNOWN) + { + goto end; + } + } + break; + case RSASSA_PSS_PARAMS_MGF_ALG: + if (object.len) + { + chunk_t hash; + + alg = asn1_parse_algorithmIdentifier(object, level, &hash); + if (alg != OID_MGF1) + { + goto end; + } + alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL); + params->mgf1_hash = hasher_algorithm_from_oid(alg); + if (params->mgf1_hash == HASH_UNKNOWN) + { + goto end; + } + } + break; + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { + params->salt_len = (size_t)asn1_parse_integer_uint64(object); + } + break; + case RSASSA_PSS_PARAMS_TRAILER: + if (object.len && (object.len != 1 || *object.ptr != 1)) + { + goto end; + } + break; + default: + break; + } + } + success = parser->success(parser); + +end: + parser->destroy(parser); + return success; +} + +/* + * Described in header + */ +bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1) +{ + chunk_t hash = chunk_empty, mgf = chunk_empty, slen = chunk_empty; + ssize_t salt_len; + int alg; + + if (params->hash != HASH_SHA1) + { /* with SHA-1 we MUST omit the field */ + alg = hasher_algorithm_to_oid(params->hash); + if (alg == OID_UNKNOWN) + { + return FALSE; + } + hash = asn1_algorithmIdentifier(alg); + } + if (params->mgf1_hash != HASH_SHA1) + { /* with MGF1-SHA1 we MUST omit the field */ + alg = hasher_algorithm_to_oid(params->mgf1_hash); + if (alg == OID_UNKNOWN) + { + chunk_free(&hash); + return FALSE; + } + mgf = asn1_algorithmIdentifier_params(OID_MGF1, + asn1_algorithmIdentifier(alg)); + } + salt_len = rsa_pss_salt_length(params); + if (salt_len < 0) + { + chunk_free(&hash); + chunk_free(&mgf); + return FALSE; + } + else if (salt_len != HASH_SIZE_SHA1) + { + slen = asn1_integer("m", asn1_integer_from_uint64(salt_len)); + } + *asn1 = asn1_wrap(ASN1_SEQUENCE, "mmm", + hash.len ? asn1_wrap(ASN1_CONTEXT_C_0, "m", hash) : chunk_empty, + mgf.len ? asn1_wrap(ASN1_CONTEXT_C_1, "m", mgf) : chunk_empty, + slen.len ? asn1_wrap(ASN1_CONTEXT_C_2, "m", slen) : chunk_empty); + return TRUE; +} diff --git a/src/libstrongswan/credentials/keys/signature_params.h b/src/libstrongswan/credentials/keys/signature_params.h new file mode 100644 index 000000000..6934c5e88 --- /dev/null +++ b/src/libstrongswan/credentials/keys/signature_params.h @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup signature_params signature_params + * @{ @ingroup keys + */ + +#ifndef SIGNATURE_PARAMS_H_ +#define SIGNATURE_PARAMS_H_ + +typedef struct signature_params_t signature_params_t; +typedef struct rsa_pss_params_t rsa_pss_params_t; + +#include <crypto/hashers/hasher.h> + +/** + * Signature scheme with parameters + */ +struct signature_params_t { + /** Signature scheme */ + signature_scheme_t scheme; + /** Parameters, depending on scheme */ + void *params; +}; + +/** + * Compare two signature schemes and their parameters + * + * @param a first scheme + * @param b second scheme + * @return TRUE if schemes and parameters are equal + */ +bool signature_params_equal(signature_params_t *a, signature_params_t *b); + +/** + * Compare two signature schemes and their parameters + * + * @param c constraint + * @param s scheme + * @return TRUE if scheme complies to constraint + */ +bool signature_params_comply(signature_params_t *c, signature_params_t *s); + +/** + * Clone the given scheme and parameters, if any + * + * @return cloned object + */ +signature_params_t *signature_params_clone(signature_params_t *this); + +/** + * Destroy the given scheme and parameters, if any + */ +void signature_params_destroy(signature_params_t *this); + +/** + * Clear the given parameters, if any, sets the scheme to SIGN_UNKNOWN + */ +void signature_params_clear(signature_params_t *this); + +/** + * Parse an ASN.1 algorithmIdentifier with parameters denoting a signature + * scheme. + * + * @param asn1 ASN.1 encoded RSASSA-PSS-params + * @param level0 current level of the ASN.1 parser + * @param params parsed parameters + * @return TRUE if successfully parsed + */ +bool signature_params_parse(chunk_t asn1, int level0, + signature_params_t *params); + +/** + * Build ASN.1 algorithmIdentifier with parameters denoting a signature scheme. + * + * @param params signature scheme and parameters to encode + * @param asn1 ASN.1 encoded algorithmIdentifier (allocated) + * @return TRUE if successfully built + */ +bool signature_params_build(signature_params_t *params, chunk_t *asn1); + +/** + * Parameters for SIGN_RSA_EMSA_PSS signature scheme + */ +struct rsa_pss_params_t { + /** Hash algorithm */ + hash_algorithm_t hash; + /** Hash for the MGF1 function */ + hash_algorithm_t mgf1_hash; + /** Salt length, use RSA_PSS_SALT_LEN_DEFAULT for length equal to hash */ + ssize_t salt_len; + /** Salt value, for unit tests (not all implementations support this) */ + chunk_t salt; +#define RSA_PSS_SALT_LEN_DEFAULT -1 +}; + +/** + * Parse the given ASN.1 algorithm identifier params + * + * @param asn1 ASN.1 encoded RSASSA-PSS-params + * @param level0 current level of the ASN.1 parser + * @param params parsed parameters + * @return TRUE if successfully parsed + */ +bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params); + +/** + * Build ASN.1 algorithm identifier params + * + * @param params parameters to encode + * @param asn1 ASN.1 encoded RSASSA-PSS-params (allocated) + * @return TRUE if successfully built + */ +bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1); + +#endif /** SIGNATURE_PARAMS_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 92d5efdc6..0e64f0350 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -48,9 +48,9 @@ struct relation_t { certificate_t *issuer; /** - * Signature scheme used to sign this relation + * Signature scheme and parameters used to sign this relation */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * Cache hits @@ -84,7 +84,7 @@ struct private_cert_cache_t { */ static void cache(private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t scheme) + signature_params_t *scheme) { relation_t *rel; int i, offset, try; @@ -118,7 +118,8 @@ static void cache(private_cert_cache_t *this, { rel->subject->destroy(rel->subject); rel->subject = subject->get_ref(subject); - rel->scheme = scheme; + signature_params_destroy(rel->scheme); + rel->scheme = signature_params_clone(scheme); return rel->lock->unlock(rel->lock); } } @@ -139,7 +140,7 @@ static void cache(private_cert_cache_t *this, { rel->subject = subject->get_ref(subject); rel->issuer = issuer->get_ref(issuer); - rel->scheme = scheme; + rel->scheme = signature_params_clone(scheme); return rel->lock->unlock(rel->lock); } rel->lock->unlock(rel->lock); @@ -165,10 +166,11 @@ static void cache(private_cert_cache_t *this, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); } rel->subject = subject->get_ref(subject); rel->issuer = issuer->get_ref(issuer); - rel->scheme = scheme; + rel->scheme = signature_params_clone(scheme); rel->hits = 0; return rel->lock->unlock(rel->lock); } @@ -180,11 +182,11 @@ static void cache(private_cert_cache_t *this, METHOD(cert_cache_t, issued_by, bool, private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **schemep) { certificate_t *cached_issuer = NULL; relation_t *found = NULL, *current; - signature_scheme_t scheme; + signature_params_t *scheme; int i; for (i = 0; i < CACHE_SIZE; i++) @@ -202,7 +204,7 @@ METHOD(cert_cache_t, issued_by, bool, found = current; if (schemep) { - *schemep = current->scheme; + *schemep = signature_params_clone(current->scheme); } } else if (!cached_issuer) @@ -225,6 +227,10 @@ METHOD(cert_cache_t, issued_by, bool, { *schemep = scheme; } + else + { + signature_params_destroy(scheme); + } DESTROY_IF(cached_issuer); return TRUE; } @@ -383,8 +389,10 @@ METHOD(cert_cache_t, flush, void, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); rel->subject = NULL; rel->issuer = NULL; + rel->scheme = NULL; rel->hits = 0; } } @@ -405,6 +413,7 @@ METHOD(cert_cache_t, destroy, void, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); } rel->lock->destroy(rel->lock); } @@ -438,6 +447,7 @@ cert_cache_t *cert_cache_create() { this->relations[i].subject = NULL; this->relations[i].issuer = NULL; + this->relations[i].scheme = NULL; this->relations[i].hits = 0; this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); } diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h index 2bcdbe464..2235bc30d 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.h +++ b/src/libstrongswan/credentials/sets/cert_cache.h @@ -45,12 +45,13 @@ struct cert_cache_t { * * @param subject certificate to verify * @param issuer issuing certificate to verify subject - * @param scheme receives used signature scheme, if given + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if subject issued by issuer */ bool (*issued_by)(cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Flush the certificate cache. diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 26aab0ccc..2bd55ad2e 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -19,19 +19,20 @@ #include "hasher.h" #include <asn1/oid.h> +#include <credentials/keys/signature_params.h> ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY, "HASH_SHA1", - "HASH_SHA256", - "HASH_SHA384", - "HASH_SHA512", + "HASH_SHA2_256", + "HASH_SHA2_384", + "HASH_SHA2_512", "HASH_IDENTITY"); ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, "HASH_UNKNOWN", "HASH_MD2", "HASH_MD4", "HASH_MD5", - "HASH_SHA224", + "HASH_SHA2_224", "HASH_SHA3_224", "HASH_SHA3_256", "HASH_SHA3_384", @@ -56,6 +57,62 @@ ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY "sha3_512"); ENUM_END(hash_algorithm_short_names, HASH_SHA3_512); +ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY, + "SHA1", + "SHA2_256", + "SHA2_384", + "SHA2_512", + "IDENTITY"); +ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, + "UNKNOWN", + "MD2", + "MD4", + "MD5", + "SHA2_224", + "SHA3_224", + "SHA3_256", + "SHA3_384", + "SHA3_512"); +ENUM_END(hash_algorithm_short_names_upper, HASH_SHA3_512); + +/* + * Described in header + */ +size_t hasher_hash_size(hash_algorithm_t alg) +{ + switch (alg) + { + case HASH_SHA1: + return HASH_SIZE_SHA1; + case HASH_SHA256: + return HASH_SIZE_SHA256; + case HASH_SHA384: + return HASH_SIZE_SHA384; + case HASH_SHA512: + return HASH_SIZE_SHA512; + case HASH_MD2: + return HASH_SIZE_MD2; + case HASH_MD4: + return HASH_SIZE_MD4; + case HASH_MD5: + return HASH_SIZE_MD5; + case HASH_SHA224: + return HASH_SIZE_SHA224; + case HASH_SHA3_224: + return HASH_SIZE_SHA224; + case HASH_SHA3_256: + return HASH_SIZE_SHA256; + case HASH_SHA3_384: + return HASH_SIZE_SHA384; + case HASH_SHA3_512: + return HASH_SIZE_SHA512; + case HASH_IDENTITY: + case HASH_UNKNOWN: + break; + } + return 0; +} + /* * Described in header. */ @@ -287,7 +344,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) switch (alg) { case HASH_IDENTITY: - case HASH_SHA1: case HASH_SHA256: case HASH_SHA384: case HASH_SHA512: @@ -296,6 +352,7 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) case HASH_MD2: case HASH_MD4: case HASH_MD5: + case HASH_SHA1: case HASH_SHA224: case HASH_SHA3_224: case HASH_SHA3_256: @@ -445,7 +502,8 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) /* * Defined in header. */ -hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme, + void *params) { switch (scheme) { @@ -453,6 +511,13 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_NULL: case SIGN_ECDSA_WITH_NULL: break; + case SIGN_RSA_EMSA_PSS: + if (params) + { + rsa_pss_params_t *pss = params; + return pss->hash; + } + break; case SIGN_ED25519: case SIGN_ED448: return HASH_IDENTITY; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index ec0c6320b..41654553d 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -27,7 +27,6 @@ typedef enum hash_algorithm_t hash_algorithm_t; typedef struct hasher_t hasher_t; -#include <library.h> #include <crypto/prfs/prf.h> #include <crypto/signers/signer.h> #include <credentials/keys/public_key.h> @@ -75,6 +74,11 @@ extern enum_name_t *hash_algorithm_names; extern enum_name_t *hash_algorithm_short_names; /** + * Uppercase short names for hash_algorithm_names + */ +extern enum_name_t *hash_algorithm_short_names_upper; + +/** * Generic interface for all hash functions. */ struct hasher_t { @@ -131,6 +135,14 @@ struct hasher_t { }; /** + * Returns the size of the hash for the given algorithm. + * + * @param alg hash algorithm + * @return size of hash or 0 if unknown + */ +size_t hasher_hash_size(hash_algorithm_t alg); + +/** * Conversion of ASN.1 OID to hash algorithm. * * @param oid ASN.1 OID @@ -199,8 +211,10 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key); * Determine the hash algorithm associated with a given signature scheme. * * @param scheme signature scheme + * @param params optional parameters * @return hash algorithm (could be HASH_UNKNOWN) */ -hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme); +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme, + void *params); #endif /** HASHER_H_ @}*/ diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h index bf443e5f4..fe9ffc2dd 100644 --- a/src/libstrongswan/crypto/prfs/prf.h +++ b/src/libstrongswan/crypto/prfs/prf.h @@ -25,7 +25,8 @@ typedef enum pseudo_random_function_t pseudo_random_function_t; typedef struct prf_t prf_t; -#include <library.h> +#include <utils/utils.h> +#include <utils/chunk.h> /** * Pseudo random function, as in IKEv2 RFC 3.3.2. diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h index bc421dcc5..e28f46513 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h @@ -19,7 +19,7 @@ #include "proposal_keywords.h" const proposal_token_t* proposal_get_token_static(register const char *str, - register unsigned int len); + register unsigned len); #endif /* PROPOSAL_KEYWORDS_STATIC_H_ */ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in new file mode 100644 index 000000000..ee9f7b9da --- /dev/null +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PROPOSAL_KEYWORDS_STATIC_H_ +#define PROPOSAL_KEYWORDS_STATIC_H_ + +#include "proposal_keywords.h" + +const proposal_token_t* proposal_get_token_static(register const char *str, + register @GPERF_LEN_TYPE@ len); + +#endif /* PROPOSAL_KEYWORDS_STATIC_H_ */ + diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h index 01b702da1..8958e66e9 100644 --- a/src/libstrongswan/crypto/signers/signer.h +++ b/src/libstrongswan/crypto/signers/signer.h @@ -25,7 +25,8 @@ typedef enum integrity_algorithm_t integrity_algorithm_t; typedef struct signer_t signer_t; -#include <library.h> +#include <utils/utils.h> +#include <utils/chunk.h> /** * Integrity algorithm, as in IKEv2 RFC 3.3.2. diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c index 1e9c2834b..2b866ae5b 100644 --- a/src/libstrongswan/crypto/xofs/xof.c +++ b/src/libstrongswan/crypto/xofs/xof.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -18,10 +19,42 @@ ENUM(ext_out_function_names, XOF_UNDEFINED, XOF_CHACHA20, "XOF_UNDEFINED", "XOF_MGF1_SHA1", + "XOF_MGF1_SHA224", "XOF_MGF1_SHA256", + "XOF_MGF1_SHA384", "XOF_MGF1_SHA512", "XOF_SHAKE128", "XOF_SHAKE256", "XOF_CHACHA20" ); +/* + * Described in header + */ +ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg) +{ + switch (alg) + { + case HASH_SHA1: + return XOF_MGF1_SHA1; + case HASH_SHA224: + return XOF_MGF1_SHA224; + case HASH_SHA256: + return XOF_MGF1_SHA256; + case HASH_SHA384: + return XOF_MGF1_SHA384; + case HASH_SHA512: + return XOF_MGF1_SHA512; + case HASH_IDENTITY: + case HASH_UNKNOWN: + case HASH_MD2: + case HASH_MD4: + case HASH_MD5: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: + break; + } + return XOF_UNDEFINED; +} diff --git a/src/libstrongswan/crypto/xofs/xof.h b/src/libstrongswan/crypto/xofs/xof.h index 8c9ae0131..934a1ee35 100644 --- a/src/libstrongswan/crypto/xofs/xof.h +++ b/src/libstrongswan/crypto/xofs/xof.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -31,11 +32,15 @@ typedef struct xof_t xof_t; */ enum ext_out_function_t { XOF_UNDEFINED, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA1, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ + XOF_MGF1_SHA224, + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA256, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ + XOF_MGF1_SHA384, + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA512, /** FIPS 202 */ XOF_SHAKE_128, @@ -111,4 +116,12 @@ struct xof_t { void (*destroy)(xof_t *this); }; +/** + * Determine an MGF1 XOF type for the given hash algorithm. + * + * @param alg hash algorithm to map + * @return MGF1 XOF type if available, XOF_UNDEFINED otherwise + */ +ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg); + #endif /** XOF_H_ @}*/ diff --git a/src/libstrongswan/math/libnttfft/Makefile.in b/src/libstrongswan/math/libnttfft/Makefile.in index 439c0f32d..02175a926 100644 --- a/src/libstrongswan/math/libnttfft/Makefile.in +++ b/src/libstrongswan/math/libnttfft/Makefile.in @@ -238,9 +238,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/math/libnttfft/tests/Makefile.in b/src/libstrongswan/math/libnttfft/tests/Makefile.in index 1f3ee6d60..8d0e02bb6 100644 --- a/src/libstrongswan/math/libnttfft/tests/Makefile.in +++ b/src/libstrongswan/math/libnttfft/tests/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/networking/streams/stream_manager.c b/src/libstrongswan/networking/streams/stream_manager.c index 8de243daa..32856dee8 100644 --- a/src/libstrongswan/networking/streams/stream_manager.c +++ b/src/libstrongswan/networking/streams/stream_manager.c @@ -21,6 +21,9 @@ # include "stream_unix.h" # include "stream_service_unix.h" #endif +#ifdef USE_SYSTEMD +# include "stream_service_systemd.h" +#endif #include <threading/rwlock.h> @@ -206,6 +209,9 @@ METHOD(stream_manager_t, destroy, void, remove_stream(this, stream_create_unix); remove_service(this, stream_service_create_unix); #endif +#ifdef USE_SYSTEMD + remove_service(this, stream_service_create_systemd); +#endif this->streams->destroy(this->streams); this->services->destroy(this->services); @@ -241,6 +247,9 @@ stream_manager_t *stream_manager_create() add_stream(this, "unix://", stream_create_unix); add_service(this, "unix://", stream_service_create_unix); #endif +#ifdef USE_SYSTEMD + add_service(this, "systemd://", stream_service_create_systemd); +#endif return &this->public; } diff --git a/src/libstrongswan/networking/streams/stream_service_systemd.c b/src/libstrongswan/networking/streams/stream_service_systemd.c new file mode 100644 index 000000000..5c6b3f690 --- /dev/null +++ b/src/libstrongswan/networking/streams/stream_service_systemd.c @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2017 aszlig + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +#include <systemd/sd-daemon.h> + +#include <library.h> + +/** + * See header + */ +stream_service_t *stream_service_create_systemd(char *uri, int backlog) +{ +#ifndef HAVE_SD_LISTEN_FDS_WITH_NAMES + DBG1(DBG_NET, "unable to open stream URI '%s': named systemd sockets not " + "supported", uri); + return NULL; +#else + int i, num_fds, fd; + char **fdmap; + + if (!strpfx(uri, "systemd://")) + { + DBG1(DBG_NET, "invalid stream URI: '%s'", uri); + return NULL; + } + uri += strlen("systemd://"); + + num_fds = sd_listen_fds_with_names(0, &fdmap); + if (num_fds <= 0) + { + DBG1(DBG_NET, "no systemd sockets for '%s'", uri); + return NULL; + } + + for (i = 0, fd = -1; i < num_fds; i++) + { + if (fd == -1 && streq(fdmap[i], uri)) + { + fd = SD_LISTEN_FDS_START + i; + } + free(fdmap[i]); + } + free(fdmap); + + if (fd == -1) + { + DBG1(DBG_NET, "unable to find systemd FD for '%s'", uri); + return NULL; + } + return stream_service_create_from_fd(fd); +#endif +} diff --git a/src/libstrongswan/networking/streams/stream_service_systemd.h b/src/libstrongswan/networking/streams/stream_service_systemd.h new file mode 100644 index 000000000..e61e54f5b --- /dev/null +++ b/src/libstrongswan/networking/streams/stream_service_systemd.h @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2017 aszlig + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +/** + * @defgroup stream_service_systemd stream_service_systemd + * @{ @ingroup stream + */ + +#ifndef STREAM_SERVICE_SYSTEMD_H_ +#define STREAM_SERVICE_SYSTEMD_H_ + +/** + * Create a service instance for systemd sockets. + * + * @param uri URI with FD identifier, must start with "systemd://" + * @param backlog size of the backlog queue (ignored) + * @return stream_service instance, NULL on failure + */ +stream_service_t *stream_service_create_systemd(char *uri, int backlog); + +#endif /** STREAM_SERVICE_SYSTEMD_H_ @}*/ diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in index 10e6fa460..36067a3ff 100644 --- a/src/libstrongswan/plugins/acert/Makefile.in +++ b/src/libstrongswan/plugins/acert/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 08f965596..d3817e12a 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in index fbc7d9230..fdcfc099e 100644 --- a/src/libstrongswan/plugins/aesni/Makefile.in +++ b/src/libstrongswan/plugins/aesni/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index 2c45ce5ba..6b4a7fe5f 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 8183de939..12a44870c 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index bb55c45c0..cf2c5ea85 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -233,7 +233,7 @@ static bool scheme_supported(private_agent_private_key_t *this, } METHOD(private_key_t, sign, bool, - private_agent_private_key_t *this, signature_scheme_t scheme, + private_agent_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { uint32_t len, flags; diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in index eb8eaecb0..b98d367f1 100644 --- a/src/libstrongswan/plugins/bliss/Makefile.in +++ b/src/libstrongswan/plugins/bliss/Makefile.in @@ -269,9 +269,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c index 25253ed37..964edcd93 100644 --- a/src/libstrongswan/plugins/bliss/bliss_private_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -512,7 +512,7 @@ end: } METHOD(private_key_t, sign, bool, - private_bliss_private_key_t *this, signature_scheme_t scheme, + private_bliss_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { switch (scheme) diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c index f7ddbbfd2..945840cdc 100644 --- a/src/libstrongswan/plugins/bliss/bliss_public_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -194,7 +194,7 @@ end: } METHOD(public_key_t, verify, bool, - private_bliss_public_key_t *this, signature_scheme_t scheme, + private_bliss_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { switch (scheme) diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in index a2d56cdd1..015f40a00 100644 --- a/src/libstrongswan/plugins/bliss/tests/Makefile.in +++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c index a3e4420a9..908ea910d 100644 --- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c @@ -118,9 +118,9 @@ START_TEST(test_bliss_sign_all) /* generate and verify 1000 BLISS signatures */ while (verify_count--) { - ck_assert(privkey->sign(privkey, signature_scheme, msg, + ck_assert(privkey->sign(privkey, signature_scheme, NULL, msg, &signature)); - ck_assert(pubkey->verify(pubkey, signature_scheme, msg, + ck_assert(pubkey->verify(pubkey, signature_scheme, NULL, msg, signature)); free(signature.ptr); } @@ -134,7 +134,7 @@ START_TEST(test_bliss_sign_fail) { private_key_t *privkey; public_key_t *pubkey; - chunk_t msg, signature, encoding, fp; + chunk_t msg = chunk_empty, signature, encoding, fp; /* generate non-supported BLISS-II private key */ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, @@ -172,18 +172,18 @@ START_TEST(test_bliss_sign_fail) ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL)); /* sign with invalid signature scheme */ - ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature)); + ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, NULL, msg, &signature)); /* generate valid signature */ msg = chunk_from_str("Hello Dolly!"); - ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature)); + ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, &signature)); /* verify with invalid signature scheme */ - ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, NULL, msg, signature)); /* corrupt signature */ signature.ptr[signature.len - 1] ^= 0x80; - ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, signature)); free(signature.ptr); privkey->destroy(privkey); diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 0d091d196..2f122b5a8 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 008407097..07eb457d5 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in index 0b2998c95..09cbddee7 100644 --- a/src/libstrongswan/plugins/chapoly/Makefile.in +++ b/src/libstrongswan/plugins/chapoly/Makefile.in @@ -259,9 +259,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index 2586d77c4..234a54cc2 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index 25632d745..82f82ca2d 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 275a76273..7c3012301 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 0dbcca895..0928dee1c 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curve25519/Makefile.in b/src/libstrongswan/plugins/curve25519/Makefile.in index 21b0e75f7..cb8bb3405 100644 --- a/src/libstrongswan/plugins/curve25519/Makefile.in +++ b/src/libstrongswan/plugins/curve25519/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c index 2a7303c4b..878be4ca5 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c @@ -63,7 +63,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_curve25519_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { uint8_t r[HASH_SIZE_SHA512], k[HASH_SIZE_SHA512], sig[HASH_SIZE_SHA512]; hasher_t *hasher; diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c index d07776354..1d4dec565 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c @@ -50,7 +50,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_curve25519_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { hasher_t *hasher; uint8_t d = 0, k[HASH_SIZE_SHA512], r[32], *sig; diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 89b279875..5ffa778cd 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 385749a11..37799583a 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in index 7708f9551..87b66df04 100644 --- a/src/libstrongswan/plugins/files/Makefile.in +++ b/src/libstrongswan/plugins/files/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 478ae818e..aa0bd5fa8 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index 91ea7c673..da118ce57 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 2212be0e2..3ed4a910f 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index cee25ea74..5519125ba 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -289,11 +289,13 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) /* * Described in header. */ -gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, - chunk_t g, chunk_t p) +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, ...) { if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_generic(group, p.len, g, p); } return NULL; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h index a70958dc4..c6259f7ac 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h @@ -48,12 +48,10 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group); * Creates a new gcrypt_dh_t object for MODP_CUSTOM. * * @param group MODP_CUSTOM - * @param g generator - * @param p prime + * @param ... expects generator and prime as chunk_t * @return gcrypt_dh_t object, NULL if not supported */ -gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, - chunk_t g, chunk_t p); +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, ...); #endif /** GCRYPT_DH_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 7ecba8fa9..8a3de1e01 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -118,6 +118,28 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), PLUGIN_REGISTER(PRIVKEY_GEN, gcrypt_rsa_private_key_gen, FALSE), PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA), + /* signature schemes, private */ +#if GCRYPT_VERSION_NUMBER >= 0x010700 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), +#endif + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5), + /* signature verification schemes */ +#if GCRYPT_VERSION_NUMBER >= 0x010700 + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), +#endif + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5), /* random numbers */ PLUGIN_REGISTER(RNG, gcrypt_rng_create), PLUGIN_PROVIDE(RNG, RNG_WEAK), diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 15b876b3f..c06f43348 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -21,6 +22,7 @@ #include <asn1/oid.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> +#include <credentials/keys/signature_params.h> typedef struct private_gcrypt_rsa_private_key_t private_gcrypt_rsa_private_key_t; @@ -147,51 +149,100 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this, } /** - * Sign a chunk of data using hashing and PKCS#1 encoding + * Sign a chunk of data using hashing and PKCS#1v1.5/EMSA-PSS encoding */ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, - hash_algorithm_t hash_algorithm, char *hash_name, + hash_algorithm_t hash_algorithm, rsa_pss_params_t *pss, chunk_t data, chunk_t *signature) { hasher_t *hasher; chunk_t hash; gcry_error_t err; gcry_sexp_t in, out; - int hash_oid; + char *hash_name = enum_to_name(hash_algorithm_short_names, hash_algorithm); - hash_oid = hasher_algorithm_to_oid(hash_algorithm); - if (hash_oid == OID_UNKNOWN) + hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); + if (!hasher) { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, hash_algorithm); return FALSE; } - hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); - if (!hasher || !hasher->allocate_hash(hasher, data, &hash)) + if (!hasher->allocate_hash(hasher, data, &hash)) { - DESTROY_IF(hasher); + hasher->destroy(hasher); return FALSE; } hasher->destroy(hasher); - err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", - hash_name, hash.len, hash.ptr); + if (pss) + { + if (pss->salt.len) + { + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)" + "(random-override %b)(hash %s %b))", + pss->salt.len, pss->salt.len, pss->salt.ptr, + hash_name, hash.len, hash.ptr); + } + else + { + u_int slen = hasher_hash_size(hash_algorithm); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)(hash %s %b))", + slen, hash_name, hash.len, hash.ptr); + } + } + else + { + err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", + hash_name, hash.len, hash.ptr); + } chunk_free(&hash); if (err) { - DBG1(DBG_LIB, "building signature S-expression failed: %s", gpg_strerror(err)); + DBG1(DBG_LIB, "building signature S-expression failed: %s", + gpg_strerror(err)); return FALSE; } err = gcry_pk_sign(&out, in, this->key); gcry_sexp_release(in); if (err) { - DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", gpg_strerror(err)); + DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", + gpg_strerror(err)); return FALSE; } + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } +#if GCRYPT_VERSION_NUMBER >= 0x010700 +/** + * Sign a chunk of data using hashing and EMSA-PSS encoding + */ +static bool sign_pss(private_gcrypt_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, chunk_t *signature) +{ + if (!params) + { + return FALSE; + } + if (params->mgf1_hash != params->hash) + { + DBG1(DBG_LIB, "unable to use a different MGF1 hash for RSA-PSS"); + return FALSE; + } + return sign_pkcs1(this, params->hash, params, data, signature); +} +#endif + METHOD(private_key_t, get_type, key_type_t, private_gcrypt_rsa_private_key_t *this) { @@ -200,24 +251,28 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *sig) + void *params, chunk_t data, chunk_t *sig) { switch (scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return sign_raw(this, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_224: - return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig); + return sign_pkcs1(this, HASH_SHA224, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_256: - return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig); + return sign_pkcs1(this, HASH_SHA256, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_384: - return sign_pkcs1(this, HASH_SHA384, "sha384", data, sig); + return sign_pkcs1(this, HASH_SHA384, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_512: - return sign_pkcs1(this, HASH_SHA512, "sha512", data, sig); + return sign_pkcs1(this, HASH_SHA512, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA1: - return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig); + return sign_pkcs1(this, HASH_SHA1, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_MD5: - return sign_pkcs1(this, HASH_MD5, "md5", data, sig); + return sign_pkcs1(this, HASH_MD5, NULL, data, sig); +#if GCRYPT_VERSION_NUMBER >= 0x010700 + case SIGN_RSA_EMSA_PSS: + return sign_pss(this, params, data, sig); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -498,16 +553,131 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type, } /** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pqu(chunk_t cn, chunk_t ce, chunk_t cd, chunk_t *cp, + chunk_t *cq, chunk_t *cu) +{ + gcry_mpi_t n, e, d, p, q, u, k, r, g, y, n1, x, two; + int i, t, j; + gcry_error_t err; + bool success = FALSE; + + n = e = d = p = q = u = k = r = g = y = n1 = x = two = NULL; + err = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, cn.ptr, cn.len, NULL) + | gcry_mpi_scan(&e, GCRYMPI_FMT_USG, ce.ptr, ce.len, NULL) + | gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL); + if (err) + { + goto error; + } + /* k = (d * e) - 1 */ + k = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_mul(k, d, e); + gcry_mpi_sub_ui(k, k, 1); + if (gcry_mpi_test_bit(k, 0)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + r = gcry_mpi_copy(k); + for (t = 0; !gcry_mpi_test_bit(r, 0); t++) + { /* r = r/2 */ + gcry_mpi_rshift(r, r, 1); + } + /* we need n-1 below */ + n1 = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_sub_ui(n1, n, 1); + y = gcry_mpi_new(gcry_mpi_get_nbits(n)); + g = gcry_mpi_new(gcry_mpi_get_nbits(n)); + x = gcry_mpi_new(gcry_mpi_get_nbits(n)); + two = gcry_mpi_set_ui(NULL, 2); + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + do + { + gcry_mpi_randomize(g, gcry_mpi_get_nbits(n), GCRY_WEAK_RANDOM); + } + while (gcry_mpi_cmp(n, g) <= 0); + /* y = g^r mod n */ + gcry_mpi_powm(y, g, r, n); + /* try again if y == 1 or y == n-1 */ + if (gcry_mpi_cmp_ui(y, 1) == 0 || gcry_mpi_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + gcry_mpi_powm(x, y, two, n); + /* stop if x == 1 */ + if (gcry_mpi_cmp_ui(x, 1) == 0) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (gcry_mpi_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + gcry_mpi_set(y, x); + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + gcry_mpi_sub_ui(y, y, 1); + p = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_gcd(p, y, n); + /* q = n/p */ + q = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_div(q, NULL, n, p, 0); + if (gcry_mpi_cmp(p, q) > 0) + { /* gcrypt expects q < p */ + gcry_mpi_swap(p, q); + } + /* u = q^-1 mod p */ + u = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_invm(u, p, q); + err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cp->ptr, &cp->len, p) + | gcry_mpi_aprint(GCRYMPI_FMT_USG, &cq->ptr, &cq->len, q) + | gcry_mpi_aprint(GCRYMPI_FMT_USG, &cu->ptr, &cu->len, u); + if (err) + { + goto error; + } + success = TRUE; + +error: + gcry_mpi_release(n); + gcry_mpi_release(e); + gcry_mpi_release(d); + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(u); + gcry_mpi_release(k); + gcry_mpi_release(r); + gcry_mpi_release(g); + gcry_mpi_release(y); + gcry_mpi_release(n1); + gcry_mpi_release(x); + gcry_mpi_release(two); + return success; +} + +/** * See header. */ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type, va_list args) { private_gcrypt_rsa_private_key_t *this; - chunk_t n, e, d, p, q, u; + chunk_t n, e, d, p, q, u, np, nq, nu; gcry_error_t err; - n = e = d = p = q = u = chunk_empty; + n = e = d = p = q = u = np = nq = nu = chunk_empty; while (TRUE) { switch (va_arg(args, builder_part_t)) @@ -543,12 +713,25 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type, } break; } - + if (!p.len || !q.len || !u.len) + { + if (!calculate_pqu(n, e, d, &np, &nq, &nu)) + { + return NULL; + } + p = np; + q = nq; + u = nu; + } this = create_empty(); err = gcry_sexp_build(&this->key, NULL, "(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))", n.len, n.ptr, e.len, e.ptr, d.len, d.ptr, p.len, p.ptr, q.len, q.ptr, u.len, u.ptr); + + chunk_clear(&np); + chunk_clear(&nq); + chunk_clear(&nu); if (err) { DBG1(DBG_LIB, "loading private key failed: %s", gpg_strerror(err)); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 90829e052..9e2ac1287 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -22,6 +23,7 @@ #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <crypto/hashers/hasher.h> +#include <credentials/keys/signature_params.h> typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t; @@ -109,27 +111,48 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this, } /** - * Verification of an EMSA PKCS1 signature described in PKCS#1 + * Verification of an EMSA PKCS1v1.5 / EMSA-PSS signature described in PKCS#1 */ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, - hash_algorithm_t algorithm, char *hash_name, + hash_algorithm_t algorithm, rsa_pss_params_t *pss, chunk_t data, chunk_t signature) { hasher_t *hasher; chunk_t hash; gcry_error_t err; gcry_sexp_t in, sig; + char *hash_name = enum_to_name(hash_algorithm_short_names, algorithm); hasher = lib->crypto->create_hasher(lib->crypto, algorithm); - if (!hasher || !hasher->allocate_hash(hasher, data, &hash)) + if (!hasher) { - DESTROY_IF(hasher); + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, algorithm); + return FALSE; + } + if (!hasher->allocate_hash(hasher, data, &hash)) + { + hasher->destroy(hasher); return FALSE; } hasher->destroy(hasher); - err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", - hash_name, hash.len, hash.ptr); + if (pss) + { + u_int slen = hasher_hash_size(algorithm); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)(hash %s %b))", + slen, hash_name, hash.len, hash.ptr); + } + else + { + err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", + hash_name, hash.len, hash.ptr); + } chunk_free(&hash); if (err) { @@ -159,6 +182,26 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, return TRUE; } +#if GCRYPT_VERSION_NUMBER >= 0x010700 +/** + * Verification of an EMSA-PSS signature described in PKCS#1 + */ +static bool verify_pss(private_gcrypt_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, chunk_t sig) +{ + if (!params) + { + return FALSE; + } + if (params->mgf1_hash != params->hash) + { + DBG1(DBG_LIB, "unable to use a different MGF1 hash for RSA-PSS"); + return FALSE; + } + return verify_pkcs1(this, params->hash, params, data, sig); +} +#endif + METHOD(public_key_t, get_type, key_type_t, private_gcrypt_rsa_public_key_t *this) { @@ -167,24 +210,28 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return verify_raw(this, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_224: - return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature); + return verify_pkcs1(this, HASH_SHA224, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_256: - return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature); + return verify_pkcs1(this, HASH_SHA256, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_384: - return verify_pkcs1(this, HASH_SHA384, "sha384", data, signature); + return verify_pkcs1(this, HASH_SHA384, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_512: - return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature); + return verify_pkcs1(this, HASH_SHA512, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: - return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature); + return verify_pkcs1(this, HASH_SHA1, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: - return verify_pkcs1(this, HASH_MD5, "md5", data, signature); + return verify_pkcs1(this, HASH_MD5, NULL, data, signature); +#if GCRYPT_VERSION_NUMBER >= 0x010700 + case SIGN_RSA_EMSA_PSS: + return verify_pss(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 39a2bcabb..11aef42f0 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index b7ee94ee0..b01adfe01 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -272,7 +272,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group, } /* - * Described in header. + * Described in header */ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) { @@ -287,12 +287,17 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) params->generator, params->prime); } - +/* + * Described in header + */ gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p) + diffie_hellman_group_t group, ...) { if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_generic(MODP_CUSTOM, p.len, g, p); } return NULL; diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h index 6d73c0863..a8cde7bca 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h @@ -49,12 +49,11 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group); * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM. * * @param group MODP_CUSTOM - * @param g generator - * @param p prime + * @param ... expects generator and prime as chunk_t * @return gmp_diffie_hellman_t object, NULL if not supported */ gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p); + diffie_hellman_group_t group, ...); #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index c75975301..700e29bf6 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -79,6 +79,14 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PUBKEY, gmp_rsa_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_RSA), /* signature schemes, private */ + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), + PLUGIN_SDEPEND(HASHER, HASH_SHA1), + PLUGIN_SDEPEND(HASHER, HASH_SHA256), + PLUGIN_SDEPEND(HASHER, HASH_SHA512), + PLUGIN_SDEPEND(RNG, RNG_STRONG), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA1), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA256), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA512), PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224), PLUGIN_DEPENDS(HASHER, HASH_SHA224), @@ -101,6 +109,13 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5), PLUGIN_DEPENDS(HASHER, HASH_MD5), /* signature verification schemes */ + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), + PLUGIN_SDEPEND(HASHER, HASH_SHA1), + PLUGIN_SDEPEND(HASHER, HASH_SHA256), + PLUGIN_SDEPEND(HASHER, HASH_SHA512), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA1), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA256), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA512), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224), PLUGIN_DEPENDS(HASHER, HASH_SHA224), diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index 21b420866..aca232c86 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005 Jan Hutter * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2012 Andreas Steffen @@ -27,6 +28,7 @@ #include <asn1/oid.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> +#include <credentials/keys/signature_params.h> #ifdef HAVE_MPZ_POWM_SEC # undef mpz_powm @@ -333,6 +335,120 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, return TRUE; } +/** + * Build a signature using the PKCS#1 EMSA PSS scheme + */ +static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t *signature) +{ + ext_out_function_t xof; + hasher_t *hasher = NULL; + rng_t *rng = NULL; + xof_t *mgf = NULL; + chunk_t hash, salt = chunk_empty, m, ps, db, dbmask, em; + size_t embits, emlen, maskbits; + bool success = FALSE; + + if (!params) + { + return FALSE; + } + xof = xof_mgf1_from_hash_algorithm(params->mgf1_hash); + if (xof == XOF_UNDEFINED) + { + DBG1(DBG_LIB, "%N is not supported for MGF1", hash_algorithm_names, + params->mgf1_hash); + return FALSE; + } + /* emBits = modBits - 1 */ + embits = mpz_sizeinbase(this->n, 2) - 1; + /* emLen = ceil(emBits/8) */ + emlen = (embits + 7) / BITS_PER_BYTE; + /* mHash = Hash(M) */ + hasher = lib->crypto->create_hasher(lib->crypto, params->hash); + if (!hasher) + { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, params->hash); + return FALSE; + } + hash = chunk_alloca(hasher->get_hash_size(hasher)); + if (!hasher->get_hash(hasher, data, hash.ptr)) + { + goto error; + } + + salt.len = hash.len; + if (params->salt.len) + { + salt = params->salt; + } + else if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + salt.len = params->salt_len; + } + if (emlen < (hash.len + salt.len + 2)) + { /* too long */ + goto error; + } + if (salt.len && !params->salt.len) + { + salt = chunk_alloca(salt.len); + rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (!rng || !rng->get_bytes(rng, salt.len, salt.ptr)) + { + goto error; + } + } + /* M' = 0x0000000000000000 | mHash | salt */ + m = chunk_cata("ccc", + chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00), + hash, salt); + /* H = Hash(M') */ + if (!hasher->get_hash(hasher, m, hash.ptr)) + { + goto error; + } + /* PS = 00...<padding depending on hash and salt length> */ + ps = chunk_alloca(emlen - salt.len - hash.len - 2); + memset(ps.ptr, 0, ps.len); + /* DB = PS | 0x01 | salt */ + db = chunk_cata("ccc", ps, chunk_from_chars(0x01), salt); + /* dbMask = MGF(H, emLen - hLen - 1) */ + mgf = lib->crypto->create_xof(lib->crypto, xof); + dbmask = chunk_alloca(db.len); + if (!mgf) + { + DBG1(DBG_LIB, "%N not supported", ext_out_function_names, xof); + goto error; + } + if (!mgf->set_seed(mgf, hash) || + !mgf->get_bytes(mgf, dbmask.len, dbmask.ptr)) + { + goto error; + } + /* maskedDB = DB xor dbMask */ + memxor(db.ptr, dbmask.ptr, db.len); + /* zero out unused bits */ + maskbits = (8 * emlen) - embits; + if (maskbits) + { + db.ptr[0] &= (0xff >> maskbits); + } + /* EM = maskedDB | H | 0xbc */ + em = chunk_cata("ccc", db, hash, chunk_from_chars(0xbc)); + /* S = RSASP1(K, EM) */ + *signature = rsasp1(this, em); + success = TRUE; + +error: + DESTROY_IF(hasher); + DESTROY_IF(rng); + DESTROY_IF(mgf); + return success; +} + METHOD(private_key_t, get_type, key_type_t, private_gmp_rsa_private_key_t *this) { @@ -341,7 +457,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -367,6 +483,8 @@ METHOD(private_key_t, sign, bool, return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature); + case SIGN_RSA_EMSA_PSS: + return build_emsa_pss_signature(this, params, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -807,6 +925,82 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args) } /** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pq(private_gmp_rsa_private_key_t *this) +{ + gmp_randstate_t rstate; + mpz_t k, r, g, y, n1, x; + int i, t, j; + bool success = FALSE; + + gmp_randinit_default(rstate); + mpz_inits(k, r, g, y, n1, x, NULL); + /* k = (d * e) - 1 */ + mpz_mul(k, *this->d, this->e); + mpz_sub_ui(k, k, 1); + if (mpz_odd_p(k)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + mpz_set(r, k); + for (t = 0; !mpz_odd_p(r); t++) + { /* r = r/2 */ + mpz_divexact_ui(r, r, 2); + } + /* we need n-1 below */ + mpz_sub_ui(n1, this->n, 1); + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + mpz_urandomm(g, rstate, this->n); + /* y = g^r mod n */ + mpz_powm_sec(y, g, r, this->n); + /* try again if y == 1 or y == n-1 */ + if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + mpz_powm_ui(x, y, 2, this->n); + /* stop if x == 1 */ + if (mpz_cmp_ui(x, 1) == 0) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (mpz_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + mpz_set(y, x); + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + mpz_sub_ui(y, y, 1); + mpz_gcd(this->p, y, this->n); + /* q = n/p */ + mpz_divexact(this->q, this->n, this->p); + success = TRUE; + +error: + mpz_clear_sensitive(k); + mpz_clear_sensitive(r); + mpz_clear_sensitive(g); + mpz_clear_sensitive(y); + mpz_clear_sensitive(x); + mpz_clear(n1); + gmp_randclear(rstate); + return success; +} + +/** * See header. */ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) @@ -868,9 +1062,30 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr); mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr); mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr); - mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr); - mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr); - mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr); + if (p.len) + { + mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr); + } + if (q.len) + { + mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr); + } + if (!p.len && !q.len) + { /* p and q missing in key, recalculate from n, e and d */ + if (!calculate_pq(this)) + { + destroy(this); + return NULL; + } + } + else if (!p.len) + { /* p missing in key, recalculate: p = n / q */ + mpz_divexact(this->p, this->n, this->q); + } + else if (!q.len) + { /* q missing in key, recalculate: q = n / p */ + mpz_divexact(this->q, this->n, this->p); + } if (!exp1.len) { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */ mpz_sub_ui(this->exp1, this->p, 1); @@ -889,6 +1104,14 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) { mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr); } + if (!coeff.len) + { /* coeff missing in key, recalculate: coeff = q^-1 mod p */ + mpz_invert(this->coeff, this->q, this->p); + } + else + { + mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr); + } this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; if (check(this) != SUCCESS) { @@ -897,4 +1120,3 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) } return &this->public; } - diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 065c88903..52bc9fb38 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -1,7 +1,8 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -27,6 +28,7 @@ #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <crypto/hashers/hasher.h> +#include <credentials/keys/signature_params.h> #ifdef HAVE_MPZ_POWM_SEC # undef mpz_powm @@ -126,7 +128,7 @@ static const asn1Object_t digestInfoObjects[] = { #define DIGEST_INFO_DIGEST 2 /** - * Verification of an EMPSA PKCS1 signature described in PKCS#1 + * Verification of an EMSA PKCS1 signature described in PKCS#1 */ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, hash_algorithm_t algorithm, @@ -283,6 +285,124 @@ end: return success; } +/** + * Verification of an EMSA PSS signature described in PKCS#1 + */ +static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t signature) +{ + ext_out_function_t xof; + hasher_t *hasher = NULL; + xof_t *mgf = NULL; + chunk_t em, hash, salt, db, h, dbmask, m; + size_t embits, maskbits; + int i; + bool success = FALSE; + + if (!params) + { + return FALSE; + } + xof = xof_mgf1_from_hash_algorithm(params->mgf1_hash); + if (xof == XOF_UNDEFINED) + { + DBG1(DBG_LIB, "%N is not supported for MGF1", hash_algorithm_names, + params->mgf1_hash); + return FALSE; + } + chunk_skip_zero(signature); + if (signature.len == 0 || signature.len > this->k) + { + return FALSE; + } + /* EM = RSAVP1((n, e), S) */ + em = rsavp1(this, signature); + if (!em.len) + { + goto error; + } + /* emBits = modBits - 1 */ + embits = mpz_sizeinbase(this->n, 2) - 1; + /* mHash = Hash(M) */ + hasher = lib->crypto->create_hasher(lib->crypto, params->hash); + if (!hasher) + { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, params->hash); + goto error; + } + hash = chunk_alloca(hasher->get_hash_size(hasher)); + if (!hasher->get_hash(hasher, data, hash.ptr)) + { + goto error; + } + /* determine salt length */ + salt.len = hash.len; + if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + salt.len = params->salt_len; + } + /* verify general structure of EM */ + maskbits = (8 * em.len) - embits; + if (em.len < (hash.len + salt.len + 2) || em.ptr[em.len-1] != 0xbc || + (em.ptr[0] & (0xff << (8-maskbits)))) + { /* inconsistent */ + goto error; + } + /* split EM in maskedDB and H */ + db = chunk_create(em.ptr, em.len - hash.len - 1); + h = chunk_create(em.ptr + db.len, hash.len); + /* dbMask = MGF(H, emLen - hLen - 1) */ + mgf = lib->crypto->create_xof(lib->crypto, xof); + if (!mgf) + { + DBG1(DBG_LIB, "%N not supported", ext_out_function_names, xof); + goto error; + } + dbmask = chunk_alloca(db.len); + if (!mgf->set_seed(mgf, h) || + !mgf->get_bytes(mgf, dbmask.len, dbmask.ptr)) + { + DBG1(DBG_LIB, "%N not supported or failed", ext_out_function_names, xof); + goto error; + } + /* DB = maskedDB xor dbMask */ + memxor(db.ptr, dbmask.ptr, db.len); + if (maskbits) + { + db.ptr[0] &= (0xff >> maskbits); + } + /* check DB = PS | 0x01 | salt */ + for (i = 0; i < (db.len - salt.len - 1); i++) + { + if (db.ptr[i]) + { /* padding not 0 */ + goto error; + } + } + if (db.ptr[i++] != 0x01) + { /* 0x01 not found */ + goto error; + } + salt.ptr = &db.ptr[i]; + /* M' = 0x0000000000000000 | mHash | salt */ + m = chunk_cata("ccc", + chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00), + hash, salt); + if (!hasher->get_hash(hasher, m, hash.ptr)) + { + goto error; + } + success = memeq_const(h.ptr, hash.ptr, hash.len); + +error: + DESTROY_IF(hasher); + DESTROY_IF(mgf); + free(em.ptr); + return success; +} + METHOD(public_key_t, get_type, key_type_t, private_gmp_rsa_public_key_t *this) { @@ -290,7 +410,7 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, + private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { switch (scheme) @@ -317,6 +437,8 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature); + case SIGN_RSA_EMSA_PSS: + return verify_emsa_pss_signature(this, params, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index cddeace7f..8de79663e 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in index e072c9225..6573b311d 100644 --- a/src/libstrongswan/plugins/keychain/Makefile.in +++ b/src/libstrongswan/plugins/keychain/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 229a0cad0..324157bc0 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index d135c291f..111f53239 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index e81213c2a..1a41f73ea 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/mgf1/Makefile.in b/src/libstrongswan/plugins/mgf1/Makefile.in index 8a2788319..fd69f4042 100644 --- a/src/libstrongswan/plugins/mgf1/Makefile.in +++ b/src/libstrongswan/plugins/mgf1/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/mgf1/mgf1_plugin.c b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c index 8df3ac261..a78d2f254 100644 --- a/src/libstrongswan/plugins/mgf1/mgf1_plugin.c +++ b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c @@ -44,8 +44,12 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(XOF, mgf1_xof_create), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA1), PLUGIN_DEPENDS(HASHER, HASH_SHA1), + PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA224), + PLUGIN_DEPENDS(HASHER, HASH_SHA224), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), + PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA384), + PLUGIN_DEPENDS(HASHER, HASH_SHA384), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), }; diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.c b/src/libstrongswan/plugins/mgf1/mgf1_xof.c index 0f5fda952..8f5a18f87 100644 --- a/src/libstrongswan/plugins/mgf1/mgf1_xof.c +++ b/src/libstrongswan/plugins/mgf1/mgf1_xof.c @@ -244,9 +244,15 @@ mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm) case XOF_MGF1_SHA1: hash_alg = HASH_SHA1; break; + case XOF_MGF1_SHA224: + hash_alg = HASH_SHA224; + break; case XOF_MGF1_SHA256: hash_alg = HASH_SHA256; break; + case XOF_MGF1_SHA384: + hash_alg = HASH_SHA384; + break; case XOF_MGF1_SHA512: hash_alg = HASH_SHA512; break; @@ -261,7 +267,7 @@ mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm) hash_algorithm_names, hash_alg); return NULL; } - + INIT(this, .public = { .mgf1_interface = { diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index c99e4f806..114507eeb 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/newhope/Makefile.in b/src/libstrongswan/plugins/newhope/Makefile.in index 786337420..81c10d5c9 100644 --- a/src/libstrongswan/plugins/newhope/Makefile.in +++ b/src/libstrongswan/plugins/newhope/Makefile.in @@ -253,9 +253,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/newhope/tests/Makefile.in b/src/libstrongswan/plugins/newhope/tests/Makefile.in index be6ffef28..114035a4a 100644 --- a/src/libstrongswan/plugins/newhope/tests/Makefile.in +++ b/src/libstrongswan/plugins/newhope/tests/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index fca8309e5..0e24d4861 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index 2ef9aa8dc..cdfee525b 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index dcf4c2c8a..856055c6a 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 61cf3e884..88f7a67c2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -47,14 +50,13 @@ #include <credentials/certificates/x509.h> #if OPENSSL_VERSION_NUMBER < 0x10100000L -static inline void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, const X509_CRL *crl) { +static inline void X509_CRL_get0_signature(const X509_CRL *crl, ASN1_BIT_STRING **psig, X509_ALGOR **palg) { if (psig) { *psig = crl->signature; } if (palg) { *palg = crl->sig_alg; } } #define X509_REVOKED_get0_serialNumber(r) ({ (r)->serialNumber; }) #define X509_REVOKED_get0_revocationDate(r) ({ (r)->revocationDate; }) #define X509_CRL_get0_extensions(c) ({ (c)->crl->extensions; }) -#define X509_ALGOR_get0(oid, ppt, ppv, alg) ({ *(oid) = (alg)->algorithm; }) #endif typedef struct private_openssl_crl_t private_openssl_crl_t; @@ -85,6 +87,16 @@ struct private_openssl_crl_t { chunk_t serial; /** + * Number of base CRL (deltaCrlIndicator), if a delta CRL + */ + chunk_t base; + + /** + * List of Freshest CRL distribution points + */ + linked_list_t *crl_uris; + + /** * AuthorityKeyIdentifier of the issuing CA */ chunk_t authKeyIdentifier; @@ -107,7 +119,7 @@ struct private_openssl_crl_t { /** * Signature scheme used in this CRL */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * References to this CRL @@ -140,6 +152,11 @@ typedef struct { int i; } crl_enumerator_t; +/** + * from openssl_x509 + */ +bool openssl_parse_crlDistributionPoints(X509_EXTENSION *ext, + linked_list_t *list); METHOD(enumerator_t, crl_enumerate, bool, crl_enumerator_t *this, va_list args) @@ -215,6 +232,26 @@ METHOD(crl_t, get_serial, chunk_t, return this->serial; } +METHOD(crl_t, is_delta_crl, bool, + private_openssl_crl_t *this, chunk_t *base_crl) +{ + if (this->base.len) + { + if (base_crl) + { + *base_crl = this->base; + } + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, + private_openssl_crl_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + METHOD(crl_t, get_authKeyIdentifier, chunk_t, private_openssl_crl_t *this) { @@ -246,7 +283,7 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_crl_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { chunk_t fingerprint, tbs; public_key_t *key; @@ -283,23 +320,20 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } } - if (this->scheme == SIGN_UNKNOWN) - { - return FALSE; - } /* i2d_re_X509_CRL_tbs() was added with 1.1.0 when X509_CRL became opaque */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L tbs = openssl_i2chunk(re_X509_CRL_tbs, this->crl); #else tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl); #endif - X509_CRL_get0_signature(&sig, NULL, this->crl); - valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig)); + X509_CRL_get0_signature(this->crl, &sig, NULL); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, tbs, + openssl_asn1_str2chunk(sig)); free(tbs.ptr); key->destroy(key); if (valid && scheme) { - *scheme = this->scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -379,8 +413,12 @@ METHOD(certificate_t, destroy, void, { X509_CRL_free(this->crl); } + signature_params_destroy(this->scheme); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); + free(this->base.ptr); free(this->serial.ptr); free(this->encoding.ptr); free(this); @@ -413,11 +451,12 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, - .is_delta_crl = (void*)return_false, - .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, + .is_delta_crl = _is_delta_crl, + .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, .create_enumerator = _create_enumerator, }, }, + .crl_uris = linked_list_create(), .ref = 1, ); return this; @@ -444,21 +483,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this, } /** - * Parse the crlNumber extension + * Quick and dirty INTEGER unwrap for crlNumber/deltaCrlIndicator extensions */ -static bool parse_crlNumber_ext(private_openssl_crl_t *this, - X509_EXTENSION *ext) +static bool parse_integer_ext(X509_EXTENSION *ext, chunk_t *out) { chunk_t chunk; chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)); - /* quick and dirty INTEGER unwrap */ if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER && chunk.ptr[1] == chunk.len - 2) { chunk = chunk_skip(chunk, 2); - free(this->serial.ptr); - this->serial = chunk_clone(chunk); + free(out->ptr); + *out = chunk_clone(chunk); return TRUE; } return FALSE; @@ -488,7 +525,13 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_authKeyIdentifier_ext(this, ext); break; case NID_crl_number: - ok = parse_crlNumber_ext(this, ext); + ok = parse_integer_ext(ext, &this->serial); + break; + case NID_delta_crl: + ok = parse_integer_ext(ext, &this->base); + break; + case NID_freshest_crl: + ok = openssl_parse_crlDistributionPoints(ext, this->crl_uris); break; case NID_issuing_distribution_point: /* TODO support of IssuingDistributionPoints */ @@ -520,7 +563,7 @@ static bool parse_extensions(private_openssl_crl_t *this) static bool parse_crl(private_openssl_crl_t *this) { const unsigned char *ptr = this->encoding.ptr; - ASN1_OBJECT *oid; + chunk_t sig_scheme; X509_ALGOR *alg; this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len); @@ -529,28 +572,16 @@ static bool parse_crl(private_openssl_crl_t *this) return FALSE; } - X509_CRL_get0_signature(NULL, &alg, this->crl); - X509_ALGOR_get0(&oid, NULL, NULL, alg); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (!chunk_equals( - openssl_asn1_obj2chunk(this->crl->crl->sig_alg->algorithm), - openssl_asn1_obj2chunk(this->crl->sig_alg->algorithm))) + X509_CRL_get0_signature(this->crl, NULL, &alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, alg); + INIT(this->scheme); + if (!signature_params_parse(sig_scheme, 0, this->scheme)) { + DBG1(DBG_ASN, "unable to parse signature algorithm"); + free(sig_scheme.ptr); return FALSE; } -#elif 0 - /* FIXME: we currently can't do this if X509_CRL is opaque (>= 1.1.0) as - * X509_CRL_get0_tbs_sigalg() does not exist and there does not seem to be - * another easy way to get the algorithm from the tbsCertList of the CRL */ - alg = X509_CRL_get0_tbs_sigalg(this->crl); - X509_ALGOR_get0(&oid_tbs, NULL, NULL, alg); - if (!chunk_equals(openssl_asn1_obj2chunk(oid), - openssl_asn1_obj2chunk(oid_tbs))) - { - return FALSE; - } -#endif - this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(oid)); + free(sig_scheme.ptr); this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl)); if (!this->issuer) diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index f08dfff7e..8e9c1183f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -193,7 +193,7 @@ METHOD(diffie_hellman_t, destroy, void, * Described in header. */ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - diffie_hellman_group_t group, chunk_t g, chunk_t p) + diffie_hellman_group_t group, ...) { private_openssl_diffie_hellman_t *this; const BIGNUM *privkey; @@ -225,6 +225,9 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); if (!DH_set0_pqg(this->dh, BN_bin2bn(p.ptr, p.len, NULL), NULL, BN_bin2bn(g.ptr, g.len, NULL))) { diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h index 53dc59c78..5de5520b5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h @@ -40,12 +40,11 @@ struct openssl_diffie_hellman_t { * Creates a new openssl_diffie_hellman_t object. * * @param group Diffie Hellman group number to use - * @param g custom generator, if MODP_CUSTOM - * @param p custom prime, if MODP_CUSTOM + * @param ... expects generator and prime as chunk_t if MODP_CUSTOM * @return openssl_diffie_hellman_t object, NULL if not supported */ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - diffie_hellman_group_t group, chunk_t g, chunk_t p); + diffie_hellman_group_t group, ...); #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 22bbf6dc7..364190758 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -49,6 +49,11 @@ struct private_openssl_ec_private_key_t { EC_KEY *ec; /** + * TRUE if the key is from an OpenSSL ENGINE and might not be readable + */ + bool engine; + + /** * reference count */ refcount_t ref; @@ -146,7 +151,7 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this, METHOD(private_key_t, sign, bool, private_openssl_ec_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -226,6 +231,11 @@ METHOD(private_key_t, get_encoding, bool, { u_char *p; + if (this->engine) + { + return FALSE; + } + switch (type) { case PRIVKEY_ASN1_DER: @@ -307,7 +317,7 @@ static private_openssl_ec_private_key_t *create_empty(void) /* * See header. */ -private_key_t *openssl_ec_private_key_create(EVP_PKEY *key) +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key, bool engine) { private_openssl_ec_private_key_t *this; EC_KEY *ec; @@ -320,6 +330,7 @@ private_key_t *openssl_ec_private_key_create(EVP_PKEY *key) } this = create_empty(); this->ec = ec; + this->engine = engine; return &this->public.key; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h index 84314f671..56c59cfc8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h @@ -67,8 +67,9 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, * Wrap an EVP_PKEY object of type EVP_PKEY_EC * * @param key EVP_PKEY_EC key object (adopted) + * @param engine whether the key was loaded via an engine * @return loaded key, NULL on failure */ -private_key_t *openssl_ec_private_key_create(EVP_PKEY *key); +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key, bool engine); #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index a1e56fc5e..faa940839 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -151,7 +151,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_openssl_ec_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index 96ee230c9..eb6c50508 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -91,16 +91,24 @@ METHOD(hasher_t, destroy, void, /* * Described in header */ -openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) +const EVP_MD *openssl_get_md(hash_algorithm_t hash) { - private_openssl_hasher_t *this; - char* name; + char *name; - name = enum_to_name(hash_algorithm_short_names, algo); + name = enum_to_name(hash_algorithm_short_names, hash); if (!name) { return NULL; } + return EVP_get_digestbyname(name); +} + +/* + * Described in header + */ +openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) +{ + private_openssl_hasher_t *this; INIT(this, .public = { @@ -114,7 +122,7 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) }, ); - this->hasher = EVP_get_digestbyname(name); + this->hasher = openssl_get_md(algo); if (!this->hasher) { /* OpenSSL does not support the requested algo */ diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h index b03f6891b..66b9b505e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.h +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -25,6 +25,8 @@ typedef struct openssl_hasher_t openssl_hasher_t; #include <crypto/hashers/hasher.h> +#include <openssl/evp.h> + /** * Implementation of hashers using OpenSSL. */ @@ -37,6 +39,14 @@ struct openssl_hasher_t { }; /** + * Determine EVP_MD for the given hash algorithm + * + * @param hash hash algorithm + * @return EVP_MD or NULL if not found/supported + */ +const EVP_MD *openssl_get_md(hash_algorithm_t hash); + +/** * Constructor to create openssl_hasher_t. * * @param algo algorithm diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c index 83ac8df5b..f94767cf5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c +++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c @@ -256,7 +256,7 @@ static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid) key = cert->get_public_key(cert); if (key) { - if (key->verify(key, signature_scheme_from_oid(hash_oid), + if (key->verify(key, signature_scheme_from_oid(hash_oid), NULL, attrs, sig)) { found = auth->clone(auth); diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index ab73d718f..8b0a7c5c7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -301,11 +301,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args) { #ifndef OPENSSL_NO_RSA case EVP_PKEY_RSA: - return openssl_rsa_private_key_create(key); + return openssl_rsa_private_key_create(key, FALSE); #endif #ifndef OPENSSL_NO_ECDSA case EVP_PKEY_EC: - return openssl_ec_private_key_create(key); + return openssl_ec_private_key_create(key, FALSE); #endif default: EVP_PKEY_free(key); @@ -316,6 +316,152 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args) return NULL; } +#ifndef OPENSSL_NO_ENGINE +/** + * Login to engine with a PIN specified for a keyid + */ +static bool login(ENGINE *engine, chunk_t keyid) +{ + enumerator_t *enumerator; + shared_key_t *shared; + identification_t *id; + chunk_t key; + char pin[64]; + bool found = FALSE, success = FALSE; + + id = identification_create_from_encoding(ID_KEY_ID, keyid); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PIN, id, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) + { + found = TRUE; + key = shared->get_key(shared); + if (snprintf(pin, sizeof(pin), + "%.*s", (int)key.len, key.ptr) >= sizeof(pin)) + { + continue; + } + if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + { + success = TRUE; + break; + } + else + { + DBG1(DBG_CFG, "setting PIN on engine failed"); + } + } + enumerator->destroy(enumerator); + id->destroy(id); + if (!found) + { + DBG1(DBG_CFG, "no PIN found for %#B", &keyid); + } + return success; +} +#endif /* OPENSSL_NO_ENGINE */ + +/** + * Load private key via engine + */ +static private_key_t *openssl_private_key_connect(key_type_t type, + va_list args) +{ +#ifndef OPENSSL_NO_ENGINE + char *engine_id = NULL; + char keyname[BUF_LEN]; + chunk_t keyid = chunk_empty;; + EVP_PKEY *key; + ENGINE *engine; + int slot = -1; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_PKCS11_KEYID: + keyid = va_arg(args, chunk_t); + continue; + case BUILD_PKCS11_SLOT: + slot = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + engine_id = va_arg(args, char*); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (!keyid.len || keyid.len > 40) + { + return NULL; + } + + memset(keyname, 0, sizeof(keyname)); + if (slot != -1) + { + snprintf(keyname, sizeof(keyname), "%d:", slot); + } + if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) + { + return NULL; + } + chunk_to_hex(keyid, keyname + strlen(keyname), FALSE); + + if (!engine_id) + { + engine_id = lib->settings->get_str(lib->settings, + "%s.plugins.openssl.engine_id", "pkcs11", lib->ns); + } + engine = ENGINE_by_id(engine_id); + if (!engine) + { + DBG2(DBG_LIB, "engine '%s' is not available", engine_id); + return NULL; + } + if (!ENGINE_init(engine)) + { + DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id); + ENGINE_free(engine); + return NULL; + } + if (!login(engine, keyid)) + { + DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); + ENGINE_free(engine); + return NULL; + } + key = ENGINE_load_private_key(engine, keyname, NULL, NULL); + if (!key) + { + DBG1(DBG_LIB, "failed to load private key with ID '%s' from " + "engine '%s'", keyname, engine_id); + ENGINE_free(engine); + return NULL; + } + ENGINE_free(engine); + + switch (EVP_PKEY_base_id(key)) + { +#ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: + return openssl_rsa_private_key_create(key, TRUE); +#endif +#ifndef OPENSSL_NO_ECDSA + case EVP_PKEY_EC: + return openssl_ec_private_key_create(key, TRUE); +#endif + default: + EVP_PKEY_free(key); + break; + } +#endif /* OPENSSL_NO_ENGINE */ + return NULL; +} + METHOD(plugin_t, get_name, char*, private_openssl_plugin_t *this) { @@ -469,8 +615,6 @@ METHOD(plugin_t, get_features, int, /* RSA private/public key loading */ PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), - PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE), - PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE), PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA), PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE), @@ -480,6 +624,10 @@ METHOD(plugin_t, get_features, int, /* signature/encryption schemes */ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), +#endif #ifndef OPENSSL_NO_SHA1 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1), @@ -554,6 +702,8 @@ METHOD(plugin_t, get_features, int, /* generic key loader */ PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), + PLUGIN_REGISTER(PRIVKEY, openssl_private_key_connect, FALSE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(RNG, openssl_rng_create), PLUGIN_PROVIDE(RNG, RNG_STRONG), PLUGIN_PROVIDE(RNG, RNG_WEAK), diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 54ecf2542..401a51a0b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -20,16 +20,15 @@ #include "openssl_rsa_private_key.h" #include "openssl_rsa_public_key.h" +#include "openssl_hasher.h" #include "openssl_util.h" #include <utils/debug.h> +#include <credentials/keys/signature_params.h> #include <openssl/bn.h> #include <openssl/evp.h> #include <openssl/rsa.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif /* OPENSSL_NO_ENGINE */ /** * Public exponent to use for key generation. @@ -40,6 +39,7 @@ OPENSSL_KEY_FALLBACK(RSA, key, n, e, d) OPENSSL_KEY_FALLBACK(RSA, factors, p, q) OPENSSL_KEY_FALLBACK(RSA, crt_params, dmp1, dmq1, iqmp) +#define BN_secure_new() BN_new() #endif typedef struct private_openssl_rsa_private_key_t private_openssl_rsa_private_key_t; @@ -72,8 +72,126 @@ struct private_openssl_rsa_private_key_t { /* implemented in rsa public key */ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + /** - * Build an EMPSA PKCS1 signature described in PKCS#1 + * Build RSA signature + */ +static bool build_signature(private_openssl_rsa_private_key_t *this, + const EVP_MD *md, rsa_pss_params_t *pss, + chunk_t data, chunk_t *sig) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = NULL; + EVP_PKEY *key; + bool success = FALSE; + + mctx = EVP_MD_CTX_create(); + key = EVP_PKEY_new(); + if (!mctx || !key) + { + goto error; + } + if (!EVP_PKEY_set1_RSA(key, this->rsa)) + { + goto error; + } + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, key) <= 0) + { + goto error; + } + if (pss) + { + const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); + int slen = EVP_MD_size(md); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) + { + goto error; + } + } + if (EVP_DigestSignUpdate(mctx, data.ptr, data.len) <= 0) + { + goto error; + } + success = (EVP_DigestSignFinal(mctx, sig->ptr, &sig->len) == 1); + +error: + if (key) + { + EVP_PKEY_free(key); + } + if (mctx) + { + EVP_MD_CTX_destroy(mctx); + } + return success; +} + +/** + * Build an EMSA PKCS1 signature described in PKCS#1 + */ +static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, + int type, chunk_t data, chunk_t *sig) +{ + const EVP_MD *md; + + *sig = chunk_alloc(RSA_size(this->rsa)); + + if (type == NID_undef) + { + if (RSA_private_encrypt(data.len, data.ptr, sig->ptr, this->rsa, + RSA_PKCS1_PADDING) == sig->len) + { + return TRUE; + } + } + else + { + md = EVP_get_digestbynid(type); + if (md && build_signature(this, md, NULL, data, sig)) + { + return TRUE; + } + } + chunk_free(sig); + return FALSE; +} + +/** + * Build an EMSA PSS signature described in PKCS#1 + */ +static bool build_emsa_pss_signature(private_openssl_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t *sig) +{ + const EVP_MD *md; + + if (!params) + { + return FALSE; + } + + *sig = chunk_alloc(RSA_size(this->rsa)); + + md = openssl_get_md(params->hash); + if (md && build_signature(this, md, params, data, sig)) + { + return TRUE; + } + chunk_free(sig); + return FALSE; +} + +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ + +/** + * Build an EMSA PKCS1 signature described in PKCS#1 */ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, int type, chunk_t data, chunk_t *sig) @@ -92,15 +210,15 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, } else { - EVP_MD_CTX *ctx; - EVP_PKEY *key; + EVP_MD_CTX *ctx = NULL; + EVP_PKEY *key = NULL; const EVP_MD *hasher; u_int len; hasher = EVP_get_digestbynid(type); if (!hasher) { - return FALSE; + goto error; } ctx = EVP_MD_CTX_create(); @@ -142,7 +260,7 @@ error: } return success; } - +#endif /* OPENSSL_VERSION_NUMBER < 1.0 */ METHOD(private_key_t, get_type, key_type_t, private_openssl_rsa_private_key_t *this) @@ -152,7 +270,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -170,6 +288,10 @@ METHOD(private_key_t, sign, bool, return build_emsa_pkcs1_signature(this, NID_sha1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return build_emsa_pkcs1_signature(this, NID_md5, data, signature); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + case SIGN_RSA_EMSA_PSS: + return build_emsa_pss_signature(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -386,7 +508,7 @@ error: /* * See header */ -private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key) +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key, bool engine) { private_openssl_rsa_private_key_t *this; RSA *rsa; @@ -399,9 +521,199 @@ private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key) } this = create_empty(); this->rsa = rsa; + this->engine = engine; return &this->public.key; } +/** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pq(BIGNUM *n, BIGNUM *e, BIGNUM *d, + BIGNUM **p, BIGNUM **q) +{ + BN_CTX *ctx; + BIGNUM *k, *r, *g, *y, *n1, *x; + int i, t, j; + bool success = FALSE; + + ctx = BN_CTX_new(); + if (!ctx) + { + return FALSE; + } + BN_CTX_start(ctx); + k = BN_CTX_get(ctx); + r = BN_CTX_get(ctx); + g = BN_CTX_get(ctx); + y = BN_CTX_get(ctx); + n1 = BN_CTX_get(ctx); + x = BN_CTX_get(ctx); + if (!x) + { + goto error; + } + /* k = (d * e) - 1 */ + if (!BN_mul(k, d, e, ctx) || !BN_sub(k, k, BN_value_one())) + { + goto error; + } + /* k must be even */ + if (BN_is_odd(k)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + if (!BN_copy(r, k)) + { + goto error; + } + for (t = 0; !BN_is_odd(r); t++) + { /* r = r/2 */ + if (!BN_rshift(r, r, 1)) + { + goto error; + } + } + /* we need n-1 below */ + if (!BN_sub(n1, n, BN_value_one())) + { + goto error; + } + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + if (!BN_pseudo_rand_range(g, n)) + { + goto error; + } + /* y = g^r mod n */ + if (!BN_mod_exp(y, g, r, n, ctx)) + { + goto error; + } + /* try again if y == 1 or y == n-1 */ + if (BN_is_one(y) || BN_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + if (!BN_mod_sqr(x, y, n, ctx)) + { + goto error; + } + /* stop if x == 1 */ + if (BN_is_one(x)) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (BN_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + if (!BN_copy(y, x)) + { + goto error; + } + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + if (!BN_sub(y, y, BN_value_one())) + { + goto error; + } + *p = BN_secure_new(); + if (!BN_gcd(*p, y, n, ctx)) + { + BN_clear_free(*p); + goto error; + } + /* q = n/p */ + *q = BN_secure_new(); + if (!BN_div(*q, NULL, n, *p, ctx)) + { + BN_clear_free(*p); + BN_clear_free(*q); + goto error; + } + success = TRUE; + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return success; +} + +/** + * Calculates dp = d (mod p-1) or dq = d (mod q-1) for the Chinese remainder + * algorithm. + */ +static BIGNUM *dmodpq1(BIGNUM *d, BIGNUM *pq) +{ + BN_CTX *ctx; + BIGNUM *res = NULL, *pq1; + + ctx = BN_CTX_new(); + if (!ctx) + { + return NULL; + } + BN_CTX_start(ctx); + pq1 = BN_CTX_get(ctx); + /* p|q - 1 */ + if (!BN_sub(pq1, pq, BN_value_one())) + { + goto error; + } + /* d (mod p|q -1) */ + res = BN_secure_new(); + if (!BN_mod(res, d, pq1, ctx)) + { + BN_clear_free(res); + res = NULL; + goto error; + } + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return res; +} + +/** + * Calculates qinv = q^-1 (mod p) for the Chinese remainder algorithm. + */ +static BIGNUM *qinv(BIGNUM *q, BIGNUM *p) +{ + BN_CTX *ctx; + BIGNUM *res = NULL; + + ctx = BN_CTX_new(); + if (!ctx) + { + return NULL; + } + BN_CTX_start(ctx); + /* q^-1 (mod p) */ + res = BN_secure_new(); + if (!BN_mod_inverse(res, q, p, ctx)) + { + BN_clear_free(res); + res = NULL; + goto error; + } + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return res; +} + /* * See header */ @@ -460,7 +772,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, return &this->public; } } - else if (n.ptr && e.ptr && d.ptr && p.ptr && q.ptr && coeff.ptr) + else if (n.ptr && e.ptr && d.ptr) { BIGNUM *bn_n, *bn_e, *bn_d, *bn_p, *bn_q; BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; @@ -472,178 +784,58 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, bn_d = BN_bin2bn((const u_char*)d.ptr, d.len, NULL); if (!RSA_set0_key(this->rsa, bn_n, bn_e, bn_d)) { - destroy(this); - return NULL; + goto error; } - bn_p = BN_bin2bn((const u_char*)p.ptr, p.len, NULL); - bn_q = BN_bin2bn((const u_char*)q.ptr, q.len, NULL); + if (p.ptr && q.ptr) + { + bn_p = BN_bin2bn((const u_char*)p.ptr, p.len, NULL); + bn_q = BN_bin2bn((const u_char*)q.ptr, q.len, NULL); + } + else + { + if (!calculate_pq(bn_n, bn_e, bn_d, &bn_p, &bn_q)) + { + goto error; + } + } if (!RSA_set0_factors(this->rsa, bn_p, bn_q)) { - destroy(this); - return NULL; + goto error; } if (exp1.ptr) { dmp1 = BN_bin2bn((const u_char*)exp1.ptr, exp1.len, NULL); } - if (exp2.ptr) + else { - dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL); + dmp1 = dmodpq1(bn_d, bn_p); } - iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL); - if (RSA_set0_crt_params(this->rsa, dmp1, dmq1, iqmp) && - RSA_check_key(this->rsa) == 1) + if (exp2.ptr) { - return &this->public; + dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL); } - } - destroy(this); - return NULL; -} - -#ifndef OPENSSL_NO_ENGINE -/** - * Login to engine with a PIN specified for a keyid - */ -static bool login(ENGINE *engine, chunk_t keyid) -{ - enumerator_t *enumerator; - shared_key_t *shared; - identification_t *id; - chunk_t key; - char pin[64]; - bool found = FALSE, success = FALSE; - - id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, id, NULL); - while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) - { - found = TRUE; - key = shared->get_key(shared); - if (snprintf(pin, sizeof(pin), - "%.*s", (int)key.len, key.ptr) >= sizeof(pin)) + else { - continue; + dmq1 = dmodpq1(bn_d, bn_q); } - if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + if (coeff.ptr) { - success = TRUE; - break; + iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL); } else { - DBG1(DBG_CFG, "setting PIN on engine failed"); + iqmp = qinv(bn_q, bn_p); } - } - enumerator->destroy(enumerator); - id->destroy(id); - if (!found) - { - DBG1(DBG_CFG, "no PIN found for %#B", &keyid); - } - return success; -} -#endif /* OPENSSL_NO_ENGINE */ - -/* - * See header. - */ -openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, - va_list args) -{ -#ifndef OPENSSL_NO_ENGINE - private_openssl_rsa_private_key_t *this; - char *engine_id = NULL; - char keyname[64]; - chunk_t keyid = chunk_empty;; - EVP_PKEY *key; - ENGINE *engine; - int slot = -1; - - while (TRUE) - { - switch (va_arg(args, builder_part_t)) + if (RSA_set0_crt_params(this->rsa, dmp1, dmq1, iqmp) && + RSA_check_key(this->rsa) == 1) { - case BUILD_PKCS11_KEYID: - keyid = va_arg(args, chunk_t); - continue; - case BUILD_PKCS11_SLOT: - slot = va_arg(args, int); - continue; - case BUILD_PKCS11_MODULE: - engine_id = va_arg(args, char*); - continue; - case BUILD_END: - break; - default: - return NULL; + return &this->public; } - break; - } - if (!keyid.len || keyid.len > 40) - { - return NULL; - } - - memset(keyname, 0, sizeof(keyname)); - if (slot != -1) - { - snprintf(keyname, sizeof(keyname), "%d:", slot); - } - if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) - { - return NULL; - } - chunk_to_hex(keyid, keyname + strlen(keyname), FALSE); - - if (!engine_id) - { - engine_id = lib->settings->get_str(lib->settings, - "%s.plugins.openssl.engine_id", "pkcs11", lib->ns); - } - engine = ENGINE_by_id(engine_id); - if (!engine) - { - DBG2(DBG_LIB, "engine '%s' is not available", engine_id); - return NULL; - } - if (!ENGINE_init(engine)) - { - DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id); - ENGINE_free(engine); - return NULL; - } - if (!login(engine, keyid)) - { - DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); - ENGINE_free(engine); - return NULL; - } - key = ENGINE_load_private_key(engine, keyname, NULL, NULL); - if (!key) - { - DBG1(DBG_LIB, "failed to load private key with ID '%s' from " - "engine '%s'", keyname, engine_id); - ENGINE_free(engine); - return NULL; - } - ENGINE_free(engine); - - this = create_empty(); - this->rsa = EVP_PKEY_get1_RSA(key); - this->engine = TRUE; - if (!this->rsa) - { - destroy(this); - return NULL; } - - return &this->public; -#else /* OPENSSL_NO_ENGINE */ +error: + destroy(this); return NULL; -#endif /* OPENSSL_NO_ENGINE */ } #endif /* OPENSSL_NO_RSA */ diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h index 34ce4c776..783181c1d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h @@ -67,9 +67,10 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, * Wrap an EVP_PKEY object of type EVP_PKEY_RSA * * @param key EVP_PKEY_RSA key object (adopted) + * @param engine whether the key was loaded via an engine * @return loaded key, NULL on failure */ -private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key); +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key, bool engine); /** * Connect to a RSA private key on a smartcard. diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index d3a644f72..20bf30ae9 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -1,7 +1,7 @@ /* + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -19,9 +19,11 @@ #ifndef OPENSSL_NO_RSA #include "openssl_rsa_public_key.h" +#include "openssl_hasher.h" #include "openssl_util.h" #include <utils/debug.h> +#include <credentials/keys/signature_params.h> #include <openssl/bn.h> #include <openssl/evp.h> @@ -54,8 +56,138 @@ struct private_openssl_rsa_public_key_t { refcount_t ref; }; + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + +/** + * Verify RSA signature + */ +static bool verify_signature(private_openssl_rsa_public_key_t *this, + const EVP_MD *md, rsa_pss_params_t *pss, + chunk_t data, chunk_t signature) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = NULL; + EVP_PKEY *key; + int rsa_size = RSA_size(this->rsa); + bool valid = FALSE; + + /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */ + if (signature.len > rsa_size) + { + signature = chunk_skip(signature, signature.len - rsa_size); + } + + mctx = EVP_MD_CTX_create(); + key = EVP_PKEY_new(); + if (!mctx || !key) + { + goto error; + } + if (!EVP_PKEY_set1_RSA(key, this->rsa)) + { + goto error; + } + if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, key) <= 0) + { + goto error; + } + if (pss) + { + const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); + int slen = EVP_MD_size(md); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) + { + goto error; + } + } + if (EVP_DigestVerifyUpdate(mctx, data.ptr, data.len) <= 0) + { + goto error; + } + valid = (EVP_DigestVerifyFinal(mctx, signature.ptr, signature.len) == 1); + +error: + if (key) + { + EVP_PKEY_free(key); + } + if (mctx) + { + EVP_MD_CTX_destroy(mctx); + } + return valid; +} + /** - * Verification of an EMPSA PKCS1 signature described in PKCS#1 + * Verification of a signature without hashing + */ +static bool verify_plain_signature(private_openssl_rsa_public_key_t *this, + chunk_t data, chunk_t signature) +{ + char *buf; + int len, rsa_size = RSA_size(this->rsa); + bool valid = FALSE; + + /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */ + if (signature.len > rsa_size) + { + signature = chunk_skip(signature, signature.len - rsa_size); + } + buf = malloc(rsa_size); + len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa, + RSA_PKCS1_PADDING); + if (len != -1) + { + valid = chunk_equals_const(data, chunk_create(buf, len)); + } + free(buf); + return valid; +} + +/** + * Verification of an EMSA PKCS1 signature described in PKCS#1 + */ +static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, + int type, chunk_t data, chunk_t signature) +{ + const EVP_MD *md; + + if (type == NID_undef) + { + return verify_plain_signature(this, data, signature); + } + md = EVP_get_digestbynid(type); + return md && verify_signature(this, md, NULL, data, signature); +} + +/** + * Verification of an EMSA PSS signature described in PKCS#1 + */ +static bool verify_emsa_pss_signature(private_openssl_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t signature) +{ + const EVP_MD *md; + + if (!params) + { + return FALSE; + } + md = openssl_get_md(params->hash); + return md && verify_signature(this, md, params, data, signature); +} + +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ + +/** + * Verification of an EMSA PKCS1 signature described in PKCS#1 */ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, int type, chunk_t data, chunk_t signature) @@ -129,6 +261,8 @@ error: return valid; } +#endif /* OPENSSL_VERSION_NUMBER < 1.0 */ + METHOD(public_key_t, get_type, key_type_t, private_openssl_rsa_public_key_t *this) { @@ -137,7 +271,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { @@ -155,6 +289,10 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return verify_emsa_pkcs1_signature(this, NID_md5, data, signature); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + case SIGN_RSA_EMSA_PSS: + return verify_emsa_pss_signature(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c index f6df03f12..3a6d2f193 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -20,6 +20,7 @@ #include "openssl_sha1_prf.h" #include <openssl/sha.h> +#include <crypto/hashers/hasher.h> typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t; diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index e03a4255d..60c08770b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -154,7 +154,7 @@ struct private_openssl_x509_t { /** * Signature scheme of the certificate */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * subjectAltNames @@ -189,16 +189,6 @@ struct private_openssl_x509_t { }; /** - * Destroy a CRL URI struct - */ -static void crl_uri_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - -/** * Convert a GeneralName to an identification_t. */ static identification_t *general_name2id(GENERAL_NAME *name) @@ -394,7 +384,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_x509_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { public_key_t *key; bool valid; @@ -406,7 +396,8 @@ METHOD(certificate_t, issued_by, bool, { if (this->flags & X509_SELF_SIGNED) { - return TRUE; + valid = TRUE; + goto out; } } else @@ -424,10 +415,6 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } } - if (this->scheme == SIGN_UNKNOWN) - { - return FALSE; - } key = issuer->get_public_key(issuer); if (!key) { @@ -440,12 +427,15 @@ METHOD(certificate_t, issued_by, bool, tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info); #endif X509_get0_signature(&sig, NULL, this->x509); - valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig)); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, tbs, + openssl_asn1_str2chunk(sig)); free(tbs.ptr); key->destroy(key); + +out: if (valid && scheme) { - *scheme = this->scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -538,6 +528,7 @@ METHOD(certificate_t, destroy, void, { X509_free(this->x509); } + signature_params_destroy(this->scheme); DESTROY_IF(this->subject); DESTROY_IF(this->issuer); DESTROY_IF(this->pubkey); @@ -549,7 +540,8 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); @@ -739,15 +731,15 @@ static bool parse_extKeyUsage_ext(private_openssl_x509_t *this, /** * Parse CRL distribution points */ -static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, - X509_EXTENSION *ext) +bool openssl_parse_crlDistributionPoints(X509_EXTENSION *ext, + linked_list_t *list) { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; identification_t *id, *issuer; x509_cdp_t *entry; char *uri; - int i, j, k, point_num, name_num, issuer_num; + int i, j, k, point_num, name_num, issuer_num, len; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -770,7 +762,12 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, cdp->distpoint->name.fullname, j)); if (id) { - if (asprintf(&uri, "%Y", id) > 0) + len = asprintf(&uri, "%Y", id); + if (!len) + { + free(uri); + } + else if (len > 0) { if (cdp->CRLissuer) { @@ -785,8 +782,7 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, .uri = strdup(uri), .issuer = issuer, ); - this->crl_uris->insert_last( - this->crl_uris, entry); + list->insert_last(list, entry); } } free(uri); @@ -796,7 +792,7 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, INIT(entry, .uri = uri, ); - this->crl_uris->insert_last(this->crl_uris, entry); + list->insert_last(list, entry); } } id->destroy(id); @@ -820,7 +816,7 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, AUTHORITY_INFO_ACCESS *infos; ACCESS_DESCRIPTION *desc; identification_t *id; - int i, num; + int i, num, len; char *uri; infos = X509V3_EXT_d2i(ext); @@ -839,7 +835,12 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, id = general_name2id(desc->location); if (id) { - if (asprintf(&uri, "%Y", id) > 0) + len = asprintf(&uri, "%Y", id); + if (!len) + { + free(uri); + } + else if (len > 0) { this->ocsp_uris->insert_last(this->ocsp_uris, uri); } @@ -1025,7 +1026,7 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_extKeyUsage_ext(this, ext); break; case NID_crl_distribution_points: - ok = parse_crlDistributionPoints_ext(this, ext); + ok = openssl_parse_crlDistributionPoints(ext, this->crl_uris); break; #ifndef OPENSSL_NO_RFC3779 case NID_sbgp_ipAddrBlock: @@ -1063,8 +1064,8 @@ static bool parse_certificate(private_openssl_x509_t *this) { const unsigned char *ptr = this->encoding.ptr; hasher_t *hasher; - chunk_t chunk; - ASN1_OBJECT *oid, *oid_tbs; + chunk_t chunk, sig_scheme, sig_scheme_tbs; + ASN1_OBJECT *oid; X509_ALGOR *alg; this->x509 = d2i_X509(NULL, &ptr, this->encoding.len); @@ -1089,6 +1090,10 @@ static bool parse_certificate(private_openssl_x509_t *this) } switch (openssl_asn1_known_oid(oid)) { + case OID_RSASSA_PSS: + /* TODO: we should treat such keys special and use the params as + * restrictions regarding the use of this key (or rather the + * associated private key) */ case OID_RSA_ENCRYPTION: this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER, @@ -1119,15 +1124,25 @@ static bool parse_certificate(private_openssl_x509_t *this) /* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL * versions, at least on Ubuntu 14.04 it is not actually defined */ X509_get0_signature(NULL, &alg, this->x509); - X509_ALGOR_get0(&oid, NULL, NULL, alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, alg); alg = X509_get0_tbs_sigalg(this->x509); - X509_ALGOR_get0(&oid_tbs, NULL, NULL, alg); - if (!chunk_equals(openssl_asn1_obj2chunk(oid), - openssl_asn1_obj2chunk(oid_tbs))) + sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg); + if (!chunk_equals(sig_scheme, sig_scheme_tbs)) + { + free(sig_scheme_tbs.ptr); + free(sig_scheme.ptr); + return FALSE; + } + free(sig_scheme_tbs.ptr); + + INIT(this->scheme); + if (!signature_params_parse(sig_scheme, 0, this->scheme)) { + DBG1(DBG_ASN, "unable to parse signature algorithm"); + free(sig_scheme.ptr); return FALSE; } - this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(oid)); + free(sig_scheme.ptr); if (!parse_extensions(this)) { diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 101119300..02a022d03 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 4b69f9f49..37917d441 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 76b0b7b40..8c6c5dae7 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -15,6 +15,8 @@ #include "pem_encoder.h" +#include <library.h> + #define BYTES_PER_LINE 48 /** diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 8104a2a94..10eb82619 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c index fe0be45d9..e8f5c5ddf 100644 --- a/src/libstrongswan/plugins/pgp/pgp_builder.c +++ b/src/libstrongswan/plugins/pgp/pgp_builder.c @@ -116,21 +116,17 @@ static private_key_t *parse_rsa_private_key(chunk_t blob) BUILD_END); } -/** - * Implementation of private_key_t.sign for encryption-only keys - */ -static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign_not_allowed, bool, + private_key_t *this, signature_scheme_t scheme, void *params, + chunk_t data, chunk_t *signature) { DBG1(DBG_LIB, "signing failed - decryption only key"); return FALSE; } -/** - * Implementation of private_key_t.decrypt for signature-only keys - */ -static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme, - chunk_t crypto, chunk_t *plain) +METHOD(private_key_t, decrypt_not_allowed, bool, + private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "decryption failed - signature only key"); return FALSE; @@ -186,7 +182,7 @@ static private_key_t *parse_private_key(chunk_t blob) BUILD_BLOB_PGP, packet, BUILD_END); if (key) { - key->sign = sign_not_allowed; + key->sign = _sign_not_allowed; } return key; case PGP_PUBKEY_ALG_RSA_SIGN_ONLY: @@ -194,7 +190,7 @@ static private_key_t *parse_private_key(chunk_t blob) BUILD_BLOB_PGP, packet, BUILD_END); if (key) { - key->decrypt = decrypt_not_allowed; + key->decrypt = _decrypt_not_allowed; } return key; case PGP_PUBKEY_ALG_ECDSA: diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index 0ffce4cfc..392ef5440 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by,bool, - private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme) + private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme) { /* TODO: check signature blobs for a valid signature */ return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c index 100f3ef33..eba936b83 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.c +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c @@ -15,6 +15,7 @@ #include "pgp_encoder.h" +#include <library.h> #include <utils/debug.h> /** diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 6f6c6237f..ae24d4085 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c index f64294783..967e501d1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c @@ -57,8 +57,13 @@ static public_key_t *parse_public_key(chunk_t blob) int oid = asn1_parse_algorithmIdentifier(object, parser->get_level(parser)+1, NULL); - if (oid == OID_RSA_ENCRYPTION || oid == OID_RSAES_OAEP) + if (oid == OID_RSA_ENCRYPTION || oid == OID_RSAES_OAEP || + oid == OID_RSASSA_PSS) { + /* TODO: we should parse parameters for PSS and pass them + * (and the type), or the complete subjectPublicKeyInfo, + * along so we can treat these as restrictions when + * generating signatures with the associated private key */ type = KEY_RSA; } else if (oid == OID_EC_PUBLICKEY) diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index 7bf33d967..00d5a6a5d 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c index c0033bd8e..b0fa41b6a 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c @@ -415,13 +415,15 @@ static chunk_t ecparams_lookup(diffie_hellman_group_t group) /** * Described in header. */ -pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, - chunk_t g, chunk_t p) +pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, ...) { switch (group) { case MODP_CUSTOM: { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_modp(group, p.len, g, p); } case ECP_192_BIT: diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h index 2654130c0..1ad58e7a1 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h @@ -40,12 +40,10 @@ struct pkcs11_dh_t { * Creates a new pkcs11_dh_t object. * * @param group Diffie Hellman group number to use - * @param g generator in case group is MODP_CUSTOM - * @param p prime in case group is MODP_CUSTOM + * @param ... expects generator and prime as chunk_t if MODP_CUSTOM * @return pkcs11_dh_t object, NULL if not supported */ -pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, - chunk_t g, chunk_t p); +pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, ...); #endif /** PKCS11_DH_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 31bcb0d25..c7dfe69d7 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -164,18 +164,13 @@ static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot) } } -/** - * Dispatch slot events - */ -static job_requeue_t dispatch_slot_events(lib_entry_t *entry) +CALLBACK(dispatch_slot_events, job_requeue_t, + lib_entry_t *entry) { CK_SLOT_ID slot; CK_RV rv; - bool old; - old = thread_cancelability(TRUE); rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL); - thread_cancelability(old); if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT) { DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled", @@ -195,6 +190,16 @@ static job_requeue_t dispatch_slot_events(lib_entry_t *entry) return JOB_REQUEUE_DIRECT; } +CALLBACK(cancel_events, bool, + lib_entry_t *entry) +{ + /* it's possible other threads still use the API after this call, but we + * have no other way to return from C_WaitForSlotEvent() if we can't cancel + * the thread because libraries hold locks they don't release */ + entry->lib->f->C_Finalize(NULL); + return TRUE; +} + /** * Get the slot list of a library */ @@ -377,8 +382,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, { query_slots(entry); lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((void*)dispatch_slot_events, - entry, NULL, (void*)return_false, JOB_PRIO_CRITICAL)); + (job_t*)callback_job_create_with_prio(dispatch_slot_events, + entry, NULL, cancel_events, JOB_PRIO_CRITICAL)); } enumerator->destroy(enumerator); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index 1d1016911..6158f6d25 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -243,7 +243,7 @@ static bool reauth(private_pkcs11_private_key_t *this, } METHOD(private_key_t, sign, bool, - private_pkcs11_private_key_t *this, signature_scheme_t scheme, + private_pkcs11_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { CK_MECHANISM_PTR mechanism; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 384777610..36029fa30 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -201,7 +201,7 @@ METHOD(public_key_t, get_keysize, int, } METHOD(public_key_t, verify, bool, - private_pkcs11_public_key_t *this, signature_scheme_t scheme, + private_pkcs11_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t sig) { CK_MECHANISM_PTR mechanism; diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in index d25a1af44..6bb1b9a36 100644 --- a/src/libstrongswan/plugins/pkcs12/Makefile.in +++ b/src/libstrongswan/plugins/pkcs12/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index e5698a302..f56df39d1 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c index 413c3fff5..9b6d3a808 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c @@ -227,7 +227,8 @@ METHOD(enumerator_t, enumerate, bool, if (key) { chunk = info->attributes->get_encoding(info->attributes); - if (key->verify(key, scheme, chunk, info->encrypted_digest)) + if (key->verify(key, scheme, NULL, chunk, + info->encrypted_digest)) { this->auth = auth->clone(auth); key->destroy(key); @@ -563,7 +564,7 @@ static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key, attributes = pkcs9->get_encoding(pkcs9); - if (!key->sign(key, scheme, attributes, &encryptedDigest)) + if (!key->sign(key, scheme, NULL, attributes, &encryptedDigest)) { free(data.ptr); return FALSE; diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index 3ff09f5f2..9c408c443 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index beb8866f8..6cd5da4fd 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -63,6 +63,17 @@ static private_key_t *parse_private_key(chunk_t blob) switch (oid) { + case OID_RSASSA_PSS: + /* TODO: parameters associated with such keys should be + * treated as restrictions later when signing (the type + * itself is already a restriction). However, the + * builders currently don't expect any parameters for + * RSA keys (we also only pass along the params, not the + * exact type, so we'd have to guess that params + * indicate RSA/PSS, but they are optional so that won't + * work for keys without specific restrictions) */ + params = chunk_empty; + /* fall-through */ case OID_RSA_ENCRYPTION: type = KEY_RSA; break; diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 42d443b7a..7d0cc88ed 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -438,7 +438,7 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, } } if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } @@ -698,7 +698,6 @@ static bool load_dependencies(private_plugin_loader_t *this, int level) { registered_feature_t *registered, lookup; - int indent = level * 2; int i; /* first entry is provided feature, followed by dependencies */ @@ -741,6 +740,7 @@ static bool load_dependencies(private_plugin_loader_t *this, #ifndef USE_FUZZING char *name, *provide, *depend; + int indent = level * 2; name = provided->entry->plugin->get_name(provided->entry->plugin); provide = plugin_feature_get_string(&provided->feature[0]); @@ -828,7 +828,6 @@ static void load_provided(private_plugin_loader_t *this, provided_feature_t *provided, int level) { - int indent = level * 2; if (provided->loaded || provided->failed) { @@ -837,6 +836,7 @@ static void load_provided(private_plugin_loader_t *this, #ifndef USE_FUZZING char *name, *provide; + int indent = level * 2; name = provided->entry->plugin->get_name(provided->entry->plugin); provide = plugin_feature_get_string(provided->feature); diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 02607958f..ff7501c00 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index 0631a6857..81dad65b7 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -137,13 +137,16 @@ METHOD(certificate_t, equals, bool, METHOD(certificate_t, issued_by, bool, private_pubkey_cert_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { - if (scheme) + bool valid = equals(this, issuer); + if (valid && scheme) { - *scheme = SIGN_UNKNOWN; + INIT(*scheme, + .scheme = SIGN_UNKNOWN, + ); } - return equals(this, issuer); + return valid; } METHOD(certificate_t, get_public_key, public_key_t*, diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 98702d0d3..3a22a6316 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in index b874e9081..d37c9834d 100644 --- a/src/libstrongswan/plugins/rc2/Makefile.in +++ b/src/libstrongswan/plugins/rc2/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index 40b1d7644..371e34db8 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 8254c1424..15e91b24a 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 0c68798a9..ff0a30462 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 109726b6a..81284e137 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in index a1f79740b..3ca2f5e24 100644 --- a/src/libstrongswan/plugins/sha3/Makefile.in +++ b/src/libstrongswan/plugins/sha3/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index ceccab7f1..47af2c5fd 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 39d705622..f0649b52a 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in index ded2bf8f1..ac644ec0b 100644 --- a/src/libstrongswan/plugins/sshkey/Makefile.in +++ b/src/libstrongswan/plugins/sshkey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index b7332d4a7..45879e841 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -265,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index 93159ff17..2a4788ee1 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in index 91033262d..7cd680095 100644 --- a/src/libstrongswan/plugins/winhttp/Makefile.in +++ b/src/libstrongswan/plugins/winhttp/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 3596d1f85..0f54f8cf0 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index ba459288b..7a5a31af7 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler * Copyright (C) 2003 Martin Berner, Lukas Suter * Copyright (C) 2002-2017 Andreas Steffen @@ -116,9 +117,9 @@ struct private_x509_ac_t { bool noRevAvail; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -425,7 +426,7 @@ static bool parse_certificate(private_x509_ac_t *this) int objectID; int type = OID_UNKNOWN; int extn_oid = OID_UNKNOWN; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical; @@ -476,7 +477,11 @@ static bool parse_certificate(private_x509_ac_t *this) } break; case AC_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case AC_OBJ_SERIAL_NUMBER: this->serialNumber = chunk_clone(object); @@ -550,12 +555,15 @@ static bool parse_certificate(private_x509_ac_t *this) break; } case AC_OBJ_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, - NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); - success = FALSE; goto end; } break; @@ -570,6 +578,7 @@ static bool parse_certificate(private_x509_ac_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); return success; } @@ -742,13 +751,13 @@ static chunk_t build_extensions(private_x509_ac_t *this) /** * build attributeCertificateInfo */ -static chunk_t build_attr_cert_info(private_x509_ac_t *this) +static chunk_t build_attr_cert_info(private_x509_ac_t *this, chunk_t sig_scheme) { - return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmm", + return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm", ASN1_INTEGER_1, build_holder(this), build_v2_form(this), - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), + sig_scheme, asn1_simple_object(ASN1_INTEGER, this->serialNumber), build_attr_cert_validity(this), build_attributes(this), @@ -758,20 +767,39 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this) /** * build an X.509 attribute certificate */ -static bool build_ac(private_x509_ac_t *this) +static bool build_ac(private_x509_ac_t *this, hash_algorithm_t digest_alg) { - chunk_t signatureValue, attributeCertificateInfo; + chunk_t signatureValue, attributeCertificateInfo, sig_scheme; + private_key_t *key = this->signerKey; - attributeCertificateInfo = build_attr_cert_info(this); - if (!this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1, - attributeCertificateInfo, &signatureValue)) + if (!this->scheme) + { + INIT(this->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key))), + ); + } + if (this->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(this->scheme, &sig_scheme)) + { + return FALSE; + } + + attributeCertificateInfo = build_attr_cert_info(this, sig_scheme); + if (!key->sign(key, this->scheme->scheme, this->scheme->params, + attributeCertificateInfo, &signatureValue)) { free(attributeCertificateInfo.ptr); + free(sig_scheme.ptr); return FALSE; } this->encoding = asn1_wrap(ASN1_SEQUENCE, "mmm", attributeCertificateInfo, - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), + sig_scheme, asn1_bitstring("m", signatureValue)); return TRUE; } @@ -886,10 +914,10 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_ac_t *this, certificate_t *issuer, + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -926,18 +954,16 @@ METHOD(certificate_t, issued_by, bool, } } - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - - if (scheme == SIGN_UNKNOWN || key == NULL) + if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->certificateInfo, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->certificateInfo, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -1020,6 +1046,7 @@ METHOD(certificate_t, destroy, void, DESTROY_IF(this->signerCert); DESTROY_IF(this->signerKey); this->groups->destroy_function(this->groups, (void*)group_destroy); + signature_params_destroy(this->scheme); free(this->serialNumber.ptr); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); @@ -1126,6 +1153,7 @@ static void add_groups_from_list(private_x509_ac_t *this, linked_list_t *list) */ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) { + hash_algorithm_t digest_alg = HASH_SHA1; private_x509_ac_t *ac; ac = create_empty(); @@ -1157,6 +1185,13 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) ac->signerKey = va_arg(args, private_key_t*); ac->signerKey->get_ref(ac->signerKey); continue; + case BUILD_SIGNATURE_SCHEME: + ac->scheme = va_arg(args, signature_params_t*); + ac->scheme = signature_params_clone(ac->scheme); + continue; + case BUILD_DIGEST_ALG: + digest_alg = va_arg(args, int); + continue; case BUILD_END: break; default: @@ -1170,7 +1205,7 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) ac->holderCert->get_type(ac->holderCert) == CERT_X509 && ac->signerCert->get_type(ac->signerCert) == CERT_X509) { - if (build_ac(ac)) + if (build_ac(ac, digest_alg)) { return &ac->public; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 974e687f9..d1f9d9aac 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -4,7 +4,7 @@ * Copyright (C) 2002 Mario Strasser * Copyright (C) 2000-2017 Andreas Steffen * Copyright (C) 2006-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -197,9 +197,9 @@ struct private_x509_cert_t { x509_flag_t flags; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -241,16 +241,6 @@ static bool gn_to_string(identification_t *id, char **uri) } /** - * Destroy a CertificateDistributionPoint - */ -static void crl_uri_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - -/** * Destroy a CertificatePolicy */ static void cert_policy_destroy(x509_cert_policy_t *this) @@ -1385,7 +1375,7 @@ static bool parse_certificate(private_x509_cert_t *this) chunk_t object; int objectID; int extn_oid = OID_UNKNOWN; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical = FALSE; @@ -1416,7 +1406,11 @@ static bool parse_certificate(private_x509_cert_t *this) this->serialNumber = object; break; case X509_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case X509_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); @@ -1570,8 +1564,13 @@ static bool parse_certificate(private_x509_cert_t *this) break; } case X509_OBJ_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); goto end; @@ -1588,6 +1587,7 @@ static bool parse_certificate(private_x509_cert_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); if (success) { hasher_t *hasher; @@ -1687,10 +1687,9 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -1698,6 +1697,10 @@ METHOD(certificate_t, issued_by, bool, { if (this->flags & X509_SELF_SIGNED) { + if (scheme) + { + *scheme = signature_params_clone(this->scheme); + } return TRUE; } } @@ -1717,23 +1720,18 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } /* get the public key of the issuer */ key = issuer->get_public_key(issuer); if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertificate, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsCertificate, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -1920,7 +1918,8 @@ METHOD(certificate_t, destroy, void, { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); @@ -1932,6 +1931,7 @@ METHOD(certificate_t, destroy, void, (void*)cert_policy_destroy); this->policy_mappings->destroy_function(this->policy_mappings, (void*)policy_mapping_destroy); + signature_params_destroy(this->scheme); DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -2187,10 +2187,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty; - chunk_t ipAddrBlocks = chunk_empty; + chunk_t ipAddrBlocks = chunk_empty, sig_scheme = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; - signature_scheme_t scheme; hasher_t *hasher; enumerator_t *enumerator; char *uri; @@ -2223,18 +2222,28 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365; } - /* select signature scheme */ - cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - sign_key->get_type(sign_key)); - if (cert->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!cert->scheme) + { + INIT(cert->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + sign_key->get_type(sign_key))), + ); + } + if (cert->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(cert->scheme, &sig_scheme)) { return FALSE; } - scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, PUBKEY_SPKI_ASN1_DER, &key_info)) { + chunk_free(&sig_scheme); return FALSE; } @@ -2559,10 +2568,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, ipAddrBlocks)); } - cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", + cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2), asn1_integer("c", cert->serialNumber), - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, issuer->get_encoding(issuer), asn1_wrap(ASN1_SEQUENCE, "mm", asn1_from_time(&cert->notBefore, ASN1_UTCTIME), @@ -2570,12 +2579,14 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, subject->get_encoding(subject), key_info, extensions); - if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature)) + if (!sign_key->sign(sign_key, cert->scheme->scheme, cert->scheme->params, + cert->tbsCertificate, &cert->signature)) { + chunk_free(&sig_scheme); return FALSE; } cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate, - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, asn1_bitstring("c", cert->signature)); hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); @@ -2639,7 +2650,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) private_x509_cert_t *cert; certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; - hash_algorithm_t digest_alg = HASH_SHA1; + hash_algorithm_t digest_alg = HASH_SHA256; u_int constraint; cert = create_empty(); @@ -2831,6 +2842,10 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) case BUILD_SERIAL: cert->serialNumber = chunk_clone(va_arg(args, chunk_t)); continue; + case BUILD_SIGNATURE_SCHEME: + cert->scheme = va_arg(args, signature_params_t*); + cert->scheme = signature_params_clone(cert->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index d8913ad73..699ac5a39 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2014-2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * Copyright (C) 2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -121,9 +122,9 @@ struct private_x509_crl_t { chunk_t baseCrlNumber; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -225,7 +226,7 @@ static bool parse(private_x509_crl_t *this) chunk_t extnID = chunk_empty; chunk_t userCertificate = chunk_empty; int objectID; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical = FALSE; revoked_t *revoked = NULL; @@ -246,7 +247,11 @@ static bool parse(private_x509_crl_t *this) DBG2(DBG_ASN, " v%d", this->version); break; case CRL_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case CRL_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); @@ -342,8 +347,13 @@ static bool parse(private_x509_crl_t *this) } case CRL_OBJ_ALGORITHM: { - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); goto end; @@ -361,6 +371,7 @@ static bool parse(private_x509_crl_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); return success; } @@ -457,10 +468,10 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_crl_t *this, certificate_t *issuer, + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; chunk_t keyid = chunk_empty; @@ -492,21 +503,17 @@ METHOD(certificate_t, issued_by, bool, } } - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } key = issuer->get_public_key(issuer); if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertList, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsCertList, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -585,23 +592,15 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } -/** - * Destroy a CDP entry - */ -static void cdp_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); - this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); + signature_params_destroy(this->scheme); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); @@ -718,6 +717,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; + chunk_t sig_scheme = chunk_empty; enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -730,10 +730,20 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); - /* select signature scheme */ - this->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - key->get_type(key)); - if (this->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!this->scheme) + { + INIT(this->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key))), + ); + } + if (this->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(this->scheme, &sig_scheme)) { return FALSE; } @@ -787,23 +797,24 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_integer("c", this->crlNumber))), crlDistributionPoints, baseCrlNumber)); - this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", + this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cccmmmm", ASN1_INTEGER_1, - asn1_algorithmIdentifier(this->algorithm), + sig_scheme, this->issuer->get_encoding(this->issuer), asn1_from_time(&this->thisUpdate, ASN1_UTCTIME), asn1_from_time(&this->nextUpdate, ASN1_UTCTIME), asn1_wrap(ASN1_SEQUENCE, "m", certList), extensions); - if (!key->sign(key, signature_scheme_from_oid(this->algorithm), + if (!key->sign(key, this->scheme->scheme, this->scheme->params, this->tbsCertList, &this->signature)) { + chunk_free(&sig_scheme); return FALSE; } this->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", this->tbsCertList, - asn1_algorithmIdentifier(this->algorithm), + sig_scheme, asn1_bitstring("c", this->signature)); return TRUE; } @@ -842,6 +853,10 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) crl->crlNumber = va_arg(args, chunk_t); crl->crlNumber = chunk_clone(crl->crlNumber); continue; + case BUILD_SIGNATURE_SCHEME: + crl->scheme = va_arg(args, signature_params_t*); + crl->scheme = signature_params_clone(crl->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index aef76af32..de22ab6be 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -276,7 +276,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, return chunk_empty; } - if (!this->key->sign(this->key, scheme, tbsRequest, &signature)) + if (!this->key->sign(this->key, scheme, NULL, tbsRequest, &signature)) { DBG1(DBG_LIB, "creating OCSP signature failed, skipped"); return chunk_empty; @@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_request_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { DBG1(DBG_LIB, "OCSP request validation not implemented!"); return FALSE; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 140e9bfa9..aa4999cbd 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -1,4 +1,5 @@ -/** +/* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * Copyright (C) 2007-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -63,9 +64,9 @@ struct private_x509_ocsp_response_t { chunk_t tbsResponseData; /** - * signature algorithm (OID) + * signature scheme */ - int signatureAlgorithm; + signature_params_t *scheme; /** * signature @@ -576,8 +577,13 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, } break; case BASIC_RESPONSE_ALGORITHM: - this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object, - parser->get_level(parser)+1, NULL); + INIT(this->scheme); + if (!signature_params_parse(object, parser->get_level(parser)+1, + this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case BASIC_RESPONSE_SIGNATURE: this->signature = chunk_skip(object, 1); @@ -703,10 +709,9 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_response_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -743,21 +748,17 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* get the public key of the issuer */ key = issuer->get_public_key(issuer); - - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->signatureAlgorithm); - - if (scheme == SIGN_UNKNOWN || key == NULL) + if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsResponseData, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsResponseData, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -839,6 +840,7 @@ METHOD(certificate_t, destroy, void, { this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); this->responses->destroy_function(this->responses, free); + signature_params_destroy(this->scheme); DESTROY_IF(this->responderId); free(this->encoding.ptr); free(this); @@ -879,7 +881,6 @@ static x509_ocsp_response_t *load(chunk_t blob) .producedAt = UNDEFINED_TIME, .usableUntil = UNDEFINED_TIME, .responses = linked_list_create(), - .signatureAlgorithm = OID_UNKNOWN, .certs = linked_list_create(), ); diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index e39e24bff..587fbd5d6 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -72,9 +72,9 @@ struct private_x509_pkcs10_t { chunk_t challengePassword; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -124,10 +124,9 @@ METHOD(certificate_t, has_subject, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_pkcs10_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; if (&this->public.interface.interface != issuer) @@ -136,27 +135,22 @@ METHOD(certificate_t, issued_by, bool, } if (this->self_signed) { - return TRUE; + valid = TRUE; } - - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) + else { - return FALSE; - } - - /* get the public key contained in the certificate request */ - key = this->public_key; - if (!key) - { - return FALSE; + /* get the public key contained in the certificate request */ + key = this->public_key; + if (!key) + { + return FALSE; + } + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->certificationRequestInfo, this->signature); } - valid = key->verify(key, scheme, this->certificationRequestInfo, - this->signature); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -410,7 +404,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) case PKCS10_SUBJECT_PUBLIC_KEY_INFO: this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END); - if (this->public_key == NULL) + if (!this->public_key) { goto end; } @@ -438,7 +432,12 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) } break; case PKCS10_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case PKCS10_SIGNATURE: this->signature = chunk_skip(object, 1); @@ -474,6 +473,7 @@ METHOD(certificate_t, destroy, void, { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); + signature_params_destroy(this->scheme); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); chunk_free(&this->encoding); @@ -530,25 +530,34 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, { chunk_t key_info, subjectAltNames, attributes; chunk_t extensionRequest = chunk_empty; - chunk_t challengePassword = chunk_empty; - signature_scheme_t scheme; + chunk_t challengePassword = chunk_empty, sig_scheme = chunk_empty; identification_t *subject; subject = cert->subject; cert->public_key = sign_key->get_public_key(sign_key); - /* select signature scheme */ - cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - sign_key->get_type(sign_key)); - if (cert->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!cert->scheme) + { + INIT(cert->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + sign_key->get_type(sign_key))), + ); + } + if (cert->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(cert->scheme, &sig_scheme)) { return FALSE; } - scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, PUBKEY_SPKI_ASN1_DER, &key_info)) { + chunk_free(&sig_scheme); return FALSE; } @@ -584,15 +593,16 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, key_info, attributes); - if (!sign_key->sign(sign_key, scheme, cert->certificationRequestInfo, - &cert->signature)) + if (!sign_key->sign(sign_key, cert->scheme->scheme, cert->scheme->params, + cert->certificationRequestInfo, &cert->signature)) { + chunk_free(&sig_scheme); return FALSE; } cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->certificationRequestInfo, - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, asn1_bitstring("c", cert->signature)); return TRUE; } @@ -674,6 +684,10 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args) case BUILD_CHALLENGE_PWD: cert->challengePassword = chunk_clone(va_arg(args, chunk_t)); continue; + case BUILD_SIGNATURE_SCHEME: + cert->scheme = va_arg(args, signature_params_t*); + cert->scheme = signature_params_clone(cert->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index d5d47694f..3a39037bc 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c index df6066b19..4466e91eb 100644 --- a/src/libstrongswan/processing/watcher.c +++ b/src/libstrongswan/processing/watcher.c @@ -513,6 +513,7 @@ METHOD(watcher_t, remove_, void, private_watcher_t *this, int fd) { entry_t *entry, *prev = NULL; + bool found = FALSE; this->mutex->lock(this->mutex); while (TRUE) @@ -530,6 +531,7 @@ METHOD(watcher_t, remove_, void, break; } entry = remove_entry(this, entry, prev); + found = TRUE; continue; } prev = entry; @@ -541,8 +543,10 @@ METHOD(watcher_t, remove_, void, } this->condvar->wait(this->condvar, this->mutex); } - - update(this); + if (found) + { + update(this); + } this->mutex->unlock(this->mutex); } diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 0653b955b..12f160224 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -25,6 +25,10 @@ #include <utils/identification.h> #include <collections/linked_list.h> +#define IPV4_LEN 4 +#define IPV6_LEN 16 +#define TS_IP_LEN(this) ({ ((this)->type == TS_IPV4_ADDR_RANGE) ? IPV4_LEN : IPV6_LEN; }) + #define NON_SUBNET_ADDRESS_RANGE 255 ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE, @@ -68,26 +72,12 @@ struct private_traffic_selector_t { /** * begin of address range, network order */ - union { - /** dummy char for common address manipulation */ - char from[0]; - /** IPv4 address */ - uint32_t from4[1]; - /** IPv6 address */ - uint32_t from6[4]; - }; + char from[IPV6_LEN]; /** * end of address range, network order */ - union { - /** dummy char for common address manipulation */ - char to[0]; - /** IPv4 address */ - uint32_t to4[1]; - /** IPv6 address */ - uint32_t to6[4]; - }; + char to[IPV6_LEN]; /** * begin of port range @@ -111,7 +101,7 @@ static void calc_range(private_traffic_selector_t *this, uint8_t netbits) this->netbits = netbits; - len = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + len = TS_IP_LEN(this); bytes = (netbits + 7)/8; bits = (bytes * 8) - netbits; mask = bits ? (1 << bits) - 1 : 0; @@ -130,7 +120,7 @@ static uint8_t calc_netbits(private_traffic_selector_t *this) { int byte, bit; uint8_t netbits; - size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + size_t size = TS_IP_LEN(this); bool prefix = TRUE; /* a perfect match results in a single address with a /32 or /128 netmask */ @@ -221,8 +211,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, char to_str[INET6_ADDRSTRLEN] = ""; char *serv_proto = NULL, *sep = ""; bool has_proto, has_ports; - size_t written = 0; - uint32_t from[4], to[4]; + size_t written = 0, len; + char from[IPV6_LEN], to[IPV6_LEN]; if (this == NULL) { @@ -241,11 +231,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, return written; } - memset(from, 0, sizeof(from)); - memset(to, 0xFF, sizeof(to)); + len = TS_IP_LEN(this); + memset(from, 0, len); + memset(to, 0xFF, len); if (this->dynamic && - memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && - memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16)) + memeq(this->from, from, len) && memeq(this->to, to, len)) { written += print_in_hook(data, "dynamic"); } @@ -253,21 +243,21 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, { if (this->type == TS_IPV4_ADDR_RANGE) { - inet_ntop(AF_INET, &this->from4, from_str, sizeof(from_str)); + inet_ntop(AF_INET, &this->from, from_str, sizeof(from_str)); } else { - inet_ntop(AF_INET6, &this->from6, from_str, sizeof(from_str)); + inet_ntop(AF_INET6, &this->from, from_str, sizeof(from_str)); } if (this->netbits == NON_SUBNET_ADDRESS_RANGE) { if (this->type == TS_IPV4_ADDR_RANGE) { - inet_ntop(AF_INET, &this->to4, to_str, sizeof(to_str)); + inet_ntop(AF_INET, &this->to, to_str, sizeof(to_str)); } else { - inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str)); + inet_ntop(AF_INET6, &this->to, to_str, sizeof(to_str)); } written += print_in_hook(data, "%s..%s", from_str, to_str); } @@ -377,17 +367,6 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, { return NULL; } - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - size = sizeof(this->from4); - break; - case TS_IPV6_ADDR_RANGE: - size = sizeof(this->from6); - break; - default: - return NULL; - } if (this->protocol != other->protocol && this->protocol != 0 && other->protocol != 0) @@ -414,6 +393,7 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, return NULL; } } + size = TS_IP_LEN(this); /* get higher from-address */ if (memcmp(this->from, other->from, size) > 0) { @@ -456,29 +436,13 @@ METHOD(traffic_selector_t, equals, bool, METHOD(traffic_selector_t, get_from_address, chunk_t, private_traffic_selector_t *this) { - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - return chunk_create(this->from, sizeof(this->from4)); - case TS_IPV6_ADDR_RANGE: - return chunk_create(this->from, sizeof(this->from6)); - default: - return chunk_empty; - } + return chunk_create(this->from, TS_IP_LEN(this)); } METHOD(traffic_selector_t, get_to_address, chunk_t, private_traffic_selector_t *this) { - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - return chunk_create(this->to, sizeof(this->to4)); - case TS_IPV6_ADDR_RANGE: - return chunk_create(this->to, sizeof(this->to6)); - default: - return chunk_empty; - } + return chunk_create(this->to, TS_IP_LEN(this)); } METHOD(traffic_selector_t, get_from_port, uint16_t, @@ -526,7 +490,7 @@ METHOD(traffic_selector_t, is_host, bool, } else { - size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + size_t length = TS_IP_LEN(this); if (this->dynamic) { @@ -555,8 +519,8 @@ METHOD(traffic_selector_t, set_address, void, if (host->is_anyaddr(host)) { - memset(this->from6, 0x00, sizeof(this->from6)); - memset(this->to6, 0xFF, sizeof(this->to6)); + memset(this->from, 0x00, sizeof(this->from)); + memset(this->to, 0xFF, sizeof(this->to)); this->netbits = 0; } else @@ -624,11 +588,11 @@ METHOD(traffic_selector_t, to_subnet, bool, { case TS_IPV4_ADDR_RANGE: family = AF_INET; - net_chunk.len = sizeof(this->from4); + net_chunk.len = IPV4_LEN; break; case TS_IPV6_ADDR_RANGE: family = AF_INET6; - net_chunk.len = sizeof(this->from6); + net_chunk.len = IPV6_LEN; break; default: /* unreachable */ @@ -659,26 +623,16 @@ METHOD(traffic_selector_t, clone_, traffic_selector_t*, private_traffic_selector_t *this) { private_traffic_selector_t *clone; + size_t len = TS_IP_LEN(this); clone = traffic_selector_create(this->protocol, this->type, this->from_port, this->to_port); clone->netbits = this->netbits; clone->dynamic = this->dynamic; - switch (clone->type) - { - case TS_IPV4_ADDR_RANGE: - memcpy(clone->from4, this->from4, sizeof(this->from4)); - memcpy(clone->to4, this->to4, sizeof(this->to4)); - return &clone->public; - case TS_IPV6_ADDR_RANGE: - memcpy(clone->from6, this->from6, sizeof(this->from6)); - memcpy(clone->to6, this->to6, sizeof(this->to6)); - return &clone->public; - default: - /* unreachable */ - return &clone->public; - } + memcpy(clone->from, this->from, len); + memcpy(clone->to, this->to, len); + return &clone->public; } METHOD(traffic_selector_t, hash, u_int, @@ -713,6 +667,7 @@ int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub, void *opts) { private_traffic_selector_t *a, *b; + size_t len; int res; a = (private_traffic_selector_t*)a_pub; @@ -724,36 +679,18 @@ int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub, { return res; } - switch (a->type) + len = TS_IP_LEN(a); + /* lower starting subnets first */ + res = memcmp(a->from, b->from, len); + if (res) { - case TS_IPV4_ADDR_RANGE: - /* lower starting subnets first */ - res = memcmp(a->from4, b->from4, sizeof(a->from4)); - if (res) - { - return res; - } - /* larger subnets first */ - res = memcmp(b->to4, a->to4, sizeof(a->to4)); - if (res) - { - return res; - } - break; - case TS_IPV6_ADDR_RANGE: - res = memcmp(a->from6, b->from6, sizeof(a->from6)); - if (res) - { - return res; - } - res = memcmp(b->to6, a->to6, sizeof(a->to6)); - if (res) - { - return res; - } - break; - default: - return 1; + return res; + } + /* larger subnets first */ + res = memcmp(b->to, a->to, len); + if (res) + { + return res; } /* lower protocols first */ res = compare_int(a->protocol, b->protocol); @@ -782,32 +719,19 @@ traffic_selector_t *traffic_selector_create_from_bytes(uint8_t protocol, private_traffic_selector_t *this = traffic_selector_create(protocol, type, from_port, to_port); - switch (type) + if (!this) { - case TS_IPV4_ADDR_RANGE: - if (from.len != 4 || to.len != 4) - { - free(this); - return NULL; - } - memcpy(this->from4, from.ptr, from.len); - memcpy(this->to4, to.ptr, to.len); - break; - case TS_IPV6_ADDR_RANGE: - if (from.len != 16 || to.len != 16) - { - free(this); - return NULL; - } - memcpy(this->from6, from.ptr, from.len); - memcpy(this->to6, to.ptr, to.len); - break; - default: - free(this); - return NULL; + return NULL; } + if (from.len != to.len || from.len != TS_IP_LEN(this)) + { + free(this); + return NULL; + } + memcpy(this->from, from.ptr, from.len); + memcpy(this->to, to.ptr, to.len); calc_netbits(this); - return (&this->public); + return &this->public; } /* @@ -816,21 +740,15 @@ traffic_selector_t *traffic_selector_create_from_bytes(uint8_t protocol, traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, chunk_t from, chunk_t to) { - size_t len; private_traffic_selector_t *this = traffic_selector_create(0, type, 0, 65535); + size_t len; - switch (type) + if (!this) { - case TS_IPV4_ADDR_RANGE: - len = 4; - break; - case TS_IPV6_ADDR_RANGE: - len = 16; - break; - default: - free(this); - return NULL; + return NULL; } + len = TS_IP_LEN(this); + memset(this->from, 0x00, len); memset(this->to , 0xff, len); @@ -846,7 +764,7 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, this->to[to.len-2] |= mask; } calc_netbits(this); - return (&this->public); + return &this->public; } /* @@ -857,29 +775,29 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, uint16_t from_port, uint16_t to_port) { private_traffic_selector_t *this; + ts_type_t type; chunk_t from; - this = traffic_selector_create(protocol, 0, from_port, to_port); - switch (net->get_family(net)) { case AF_INET: - this->type = TS_IPV4_ADDR_RANGE; + type = TS_IPV4_ADDR_RANGE; break; case AF_INET6: - this->type = TS_IPV6_ADDR_RANGE; + type = TS_IPV6_ADDR_RANGE; break; default: net->destroy(net); - free(this); return NULL; } + + this = traffic_selector_create(protocol, type, from_port, to_port); + from = net->get_address(net); memcpy(this->from, from.ptr, from.len); - netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); + netbits = min(netbits, TS_IP_LEN(this) * 8); calc_range(this, netbits); net->destroy(net); - return &this->public; } @@ -914,7 +832,6 @@ traffic_selector_t *traffic_selector_create_from_string( free(this); return NULL; } - calc_netbits(this); return &this->public; } @@ -947,8 +864,8 @@ traffic_selector_t *traffic_selector_create_dynamic(uint8_t protocol, private_traffic_selector_t *this = traffic_selector_create( protocol, TS_IPV4_ADDR_RANGE, from_port, to_port); - memset(this->from6, 0, sizeof(this->from6)); - memset(this->to6, 0xFF, sizeof(this->to6)); + memset(this->from, 0, sizeof(this->from)); + memset(this->to, 0xFF, sizeof(this->to)); this->netbits = 0; this->dynamic = TRUE; @@ -963,6 +880,12 @@ static private_traffic_selector_t *traffic_selector_create(uint8_t protocol, { private_traffic_selector_t *this; + /* sanity check */ + if (type != TS_IPV4_ADDR_RANGE && type != TS_IPV6_ADDR_RANGE) + { + return NULL; + } + INIT(this, .public = { .get_subset = _get_subset, diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c index 2a92d523b..c618d8837 100644 --- a/src/libstrongswan/settings/settings.c +++ b/src/libstrongswan/settings/settings.c @@ -494,11 +494,12 @@ inline bool settings_value_as_bool(char *value, bool def) } METHOD(settings_t, get_bool, bool, - private_settings_t *this, char *key, bool def, ...) + private_settings_t *this, char *key, int def, ...) { char *value; va_list args; + /* we can't use bool for def due to this call */ va_start(args, def); value = find_value(this, this->top, key, args); va_end(args); @@ -604,41 +605,11 @@ METHOD(settings_t, get_double, double, */ inline uint32_t settings_value_as_time(char *value, uint32_t def) { - char *endptr; - uint32_t timeval; - if (value) + time_t val; + + if (timespan_from_string(value, NULL, &val)) { - errno = 0; - timeval = strtoul(value, &endptr, 10); - if (endptr == value) - { - return def; - } - if (errno == 0) - { - while (isspace(*endptr)) - { - endptr++; - } - switch (*endptr) - { - case 'd': /* time in days */ - timeval *= 24 * 3600; - break; - case 'h': /* time in hours */ - timeval *= 3600; - break; - case 'm': /* time in minutes */ - timeval *= 60; - break; - case 's': /* time in seconds */ - case '\0': - break; - default: - return def; - } - return timeval; - } + return val; } return def; } @@ -665,9 +636,10 @@ METHOD(settings_t, set_str, void, } METHOD(settings_t, set_bool, void, - private_settings_t *this, char *key, bool value, ...) + private_settings_t *this, char *key, int value, ...) { va_list args; + /* we can't use bool for value due to this call */ va_start(args, value); set_value(this, this->top, key, args, value ? "1" : "0"); va_end(args); diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index eec5ece6c..28cde4876 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -173,7 +173,7 @@ struct settings_t { * @param ... argument list for key * @return value of the key */ - bool (*get_bool)(settings_t *this, char *key, bool def, ...); + bool (*get_bool)(settings_t *this, char *key, int def, ...); /** * Get an integer value. @@ -221,7 +221,7 @@ struct settings_t { * @param value value to set * @param ... argument list for key */ - void (*set_bool)(settings_t *this, char *key, bool value, ...); + void (*set_bool)(settings_t *this, char *key, int value, ...); /** * Set an integer value. diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 0231c1c14..07f5eb5f2 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -15,11 +15,11 @@ libtest_la_LIBADD = \ $(PTHREADLIB) $(ATOMICLIB) -TESTS = tests +TESTS = libstrongswan_tests check_PROGRAMS = $(TESTS) -tests_SOURCES = tests.h tests.c \ +libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_linked_list.c \ suites/test_enumerator.c \ suites/test_linked_list_enumerator.c \ @@ -56,16 +56,17 @@ tests_SOURCES = tests.h tests.c \ suites/test_test_rng.c \ suites/test_mgf1.c \ suites/test_ntru.c \ - suites/test_ed25519.c + suites/test_ed25519.c \ + suites/test_signature_params.c -tests_CFLAGS = \ +libstrongswan_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +libstrongswan_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libstrongswan_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ libtest.la diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index ce0ad3772..f8f8ce83e 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -87,7 +87,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = tests$(EXEEXT) +TESTS = libstrongswan_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libstrongswan/tests ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -123,51 +123,53 @@ am__v_lt_1 = libtest_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libtest_la_CFLAGS) \ $(CFLAGS) $(libtest_la_LDFLAGS) $(LDFLAGS) -o $@ -am__EXEEXT_1 = tests$(EXEEXT) -am_tests_OBJECTS = tests-tests.$(OBJEXT) \ - suites/tests-test_linked_list.$(OBJEXT) \ - suites/tests-test_enumerator.$(OBJEXT) \ - suites/tests-test_linked_list_enumerator.$(OBJEXT) \ - suites/tests-test_bio_reader.$(OBJEXT) \ - suites/tests-test_bio_writer.$(OBJEXT) \ - suites/tests-test_chunk.$(OBJEXT) \ - suites/tests-test_enum.$(OBJEXT) \ - suites/tests-test_hashtable.$(OBJEXT) \ - suites/tests-test_identification.$(OBJEXT) \ - suites/tests-test_traffic_selector.$(OBJEXT) \ - suites/tests-test_threading.$(OBJEXT) \ - suites/tests-test_process.$(OBJEXT) \ - suites/tests-test_watcher.$(OBJEXT) \ - suites/tests-test_stream.$(OBJEXT) \ - suites/tests-test_fetch_http.$(OBJEXT) \ - suites/tests-test_utils.$(OBJEXT) \ - suites/tests-test_settings.$(OBJEXT) \ - suites/tests-test_vectors.$(OBJEXT) \ - suites/tests-test_array.$(OBJEXT) \ - suites/tests-test_ecdsa.$(OBJEXT) \ - suites/tests-test_rsa.$(OBJEXT) \ - suites/tests-test_certpolicy.$(OBJEXT) \ - suites/tests-test_certnames.$(OBJEXT) \ - suites/tests-test_host.$(OBJEXT) \ - suites/tests-test_auth_cfg.$(OBJEXT) \ - suites/tests-test_hasher.$(OBJEXT) \ - suites/tests-test_crypter.$(OBJEXT) \ - suites/tests-test_crypto_factory.$(OBJEXT) \ - suites/tests-test_iv_gen.$(OBJEXT) \ - suites/tests-test_pen.$(OBJEXT) \ - suites/tests-test_asn1.$(OBJEXT) \ - suites/tests-test_asn1_parser.$(OBJEXT) \ - suites/tests-test_printf.$(OBJEXT) \ - suites/tests-test_test_rng.$(OBJEXT) \ - suites/tests-test_mgf1.$(OBJEXT) \ - suites/tests-test_ntru.$(OBJEXT) \ - suites/tests-test_ed25519.$(OBJEXT) -tests_OBJECTS = $(am_tests_OBJECTS) -tests_DEPENDENCIES = \ +am__EXEEXT_1 = libstrongswan_tests$(EXEEXT) +am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \ + suites/libstrongswan_tests-test_linked_list.$(OBJEXT) \ + suites/libstrongswan_tests-test_enumerator.$(OBJEXT) \ + suites/libstrongswan_tests-test_linked_list_enumerator.$(OBJEXT) \ + suites/libstrongswan_tests-test_bio_reader.$(OBJEXT) \ + suites/libstrongswan_tests-test_bio_writer.$(OBJEXT) \ + suites/libstrongswan_tests-test_chunk.$(OBJEXT) \ + suites/libstrongswan_tests-test_enum.$(OBJEXT) \ + suites/libstrongswan_tests-test_hashtable.$(OBJEXT) \ + suites/libstrongswan_tests-test_identification.$(OBJEXT) \ + suites/libstrongswan_tests-test_traffic_selector.$(OBJEXT) \ + suites/libstrongswan_tests-test_threading.$(OBJEXT) \ + suites/libstrongswan_tests-test_process.$(OBJEXT) \ + suites/libstrongswan_tests-test_watcher.$(OBJEXT) \ + suites/libstrongswan_tests-test_stream.$(OBJEXT) \ + suites/libstrongswan_tests-test_fetch_http.$(OBJEXT) \ + suites/libstrongswan_tests-test_utils.$(OBJEXT) \ + suites/libstrongswan_tests-test_settings.$(OBJEXT) \ + suites/libstrongswan_tests-test_vectors.$(OBJEXT) \ + suites/libstrongswan_tests-test_array.$(OBJEXT) \ + suites/libstrongswan_tests-test_ecdsa.$(OBJEXT) \ + suites/libstrongswan_tests-test_rsa.$(OBJEXT) \ + suites/libstrongswan_tests-test_certpolicy.$(OBJEXT) \ + suites/libstrongswan_tests-test_certnames.$(OBJEXT) \ + suites/libstrongswan_tests-test_host.$(OBJEXT) \ + suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \ + suites/libstrongswan_tests-test_hasher.$(OBJEXT) \ + suites/libstrongswan_tests-test_crypter.$(OBJEXT) \ + suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \ + suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \ + suites/libstrongswan_tests-test_pen.$(OBJEXT) \ + suites/libstrongswan_tests-test_asn1.$(OBJEXT) \ + suites/libstrongswan_tests-test_asn1_parser.$(OBJEXT) \ + suites/libstrongswan_tests-test_printf.$(OBJEXT) \ + suites/libstrongswan_tests-test_test_rng.$(OBJEXT) \ + suites/libstrongswan_tests-test_mgf1.$(OBJEXT) \ + suites/libstrongswan_tests-test_ntru.$(OBJEXT) \ + suites/libstrongswan_tests-test_ed25519.$(OBJEXT) \ + suites/libstrongswan_tests-test_signature_params.$(OBJEXT) +libstrongswan_tests_OBJECTS = $(am_libstrongswan_tests_OBJECTS) +libstrongswan_tests_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la libtest.la -tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \ - $(tests_LDFLAGS) $(LDFLAGS) -o $@ +libstrongswan_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libstrongswan_tests_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tests_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -202,8 +204,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES) -DIST_SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES) +SOURCES = $(libtest_la_SOURCES) $(libstrongswan_tests_SOURCES) +DIST_SOURCES = $(libtest_la_SOURCES) $(libstrongswan_tests_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -285,9 +287,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -503,7 +507,7 @@ libtest_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(PTHREADLIB) $(ATOMICLIB) -tests_SOURCES = tests.h tests.c \ +libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_linked_list.c \ suites/test_enumerator.c \ suites/test_linked_list_enumerator.c \ @@ -540,17 +544,18 @@ tests_SOURCES = tests.h tests.c \ suites/test_test_rng.c \ suites/test_mgf1.c \ suites/test_ntru.c \ - suites/test_ed25519.c + suites/test_ed25519.c \ + suites/test_signature_params.c -tests_CFLAGS = \ +libstrongswan_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +libstrongswan_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libstrongswan_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ libtest.la @@ -624,84 +629,86 @@ suites/$(am__dirstamp): suites/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) suites/$(DEPDIR) @: > suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_linked_list.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_enumerator.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_linked_list_enumerator.$(OBJEXT): \ +suites/libstrongswan_tests-test_linked_list.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_bio_reader.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_bio_writer.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_chunk.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_enum.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_traffic_selector.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_process.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_watcher.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_stream.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_fetch_http.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_utils.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_settings.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_vectors.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_array.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_certpolicy.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_auth_cfg.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_crypto_factory.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_iv_gen.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_asn1_parser.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \ +suites/libstrongswan_tests-test_enumerator.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_linked_list_enumerator.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_bio_reader.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_bio_writer.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_chunk.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_enum.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_hashtable.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_identification.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_traffic_selector.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_threading.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_process.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_watcher.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_stream.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_fetch_http.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_utils.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_settings.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_vectors.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_array.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ecdsa.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ed25519.$(OBJEXT): suites/$(am__dirstamp) \ +suites/libstrongswan_tests-test_certpolicy.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_certnames.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_host.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_hasher.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_crypter.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_asn1.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_asn1_parser.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_printf.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_test_rng.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_mgf1.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ntru.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ed25519.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_signature_params.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) - @rm -f tests$(EXEEXT) - $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS) +libstrongswan_tests$(EXEEXT): $(libstrongswan_tests_OBJECTS) $(libstrongswan_tests_DEPENDENCIES) $(EXTRA_libstrongswan_tests_DEPENDENCIES) + @rm -f libstrongswan_tests$(EXEEXT) + $(AM_V_CCLD)$(libstrongswan_tests_LINK) $(libstrongswan_tests_OBJECTS) $(libstrongswan_tests_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -712,46 +719,47 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libstrongswan_tests-tests.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_runner.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_suite.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_auth_cfg.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certpolicy.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypto_factory.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ecdsa.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ed25519.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enum.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enumerator.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_fetch_http.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hasher.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_iv_gen.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_process.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_rsa.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_settings.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_traffic_selector.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_array.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_host.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/libtest_la-test_rng.Plo@am__quote@ .c.o: @@ -799,537 +807,551 @@ utils/libtest_la-test_rng.lo: utils/test_rng.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c -tests-tests.o: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@ +libstrongswan_tests-tests.o: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT libstrongswan_tests-tests.o -MD -MP -MF $(DEPDIR)/libstrongswan_tests-tests.Tpo -c -o libstrongswan_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libstrongswan_tests-tests.Tpo $(DEPDIR)/libstrongswan_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='libstrongswan_tests-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o libstrongswan_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c + +libstrongswan_tests-tests.obj: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT libstrongswan_tests-tests.obj -MD -MP -MF $(DEPDIR)/libstrongswan_tests-tests.Tpo -c -o libstrongswan_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libstrongswan_tests-tests.Tpo $(DEPDIR)/libstrongswan_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='libstrongswan_tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o libstrongswan_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` + +suites/libstrongswan_tests-test_linked_list.o: suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo -c -o suites/libstrongswan_tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/libstrongswan_tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c -tests-tests.obj: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list.obj: suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo -c -o suites/libstrongswan_tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/libstrongswan_tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` -suites/tests-test_linked_list.o: suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enumerator.o: suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo -c -o suites/libstrongswan_tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/libstrongswan_tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c -suites/tests-test_linked_list.obj: suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enumerator.obj: suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo -c -o suites/libstrongswan_tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/libstrongswan_tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` -suites/tests-test_enumerator.o: suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo -c -o suites/libstrongswan_tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/libstrongswan_tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c -suites/tests-test_enumerator.obj: suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo -c -o suites/libstrongswan_tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/libstrongswan_tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` -suites/tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_reader.o: suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo -c -o suites/libstrongswan_tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/libstrongswan_tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c -suites/tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_reader.obj: suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo -c -o suites/libstrongswan_tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/libstrongswan_tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` -suites/tests-test_bio_reader.o: suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_writer.o: suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo -c -o suites/libstrongswan_tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/libstrongswan_tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c -suites/tests-test_bio_reader.obj: suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_writer.obj: suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo -c -o suites/libstrongswan_tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/libstrongswan_tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` -suites/tests-test_bio_writer.o: suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_chunk.o: suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo -c -o suites/libstrongswan_tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/libstrongswan_tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c -suites/tests-test_bio_writer.obj: suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_chunk.obj: suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo -c -o suites/libstrongswan_tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/libstrongswan_tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` -suites/tests-test_chunk.o: suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enum.o: suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo -c -o suites/libstrongswan_tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/libstrongswan_tests-test_enum.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c -suites/tests-test_chunk.obj: suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enum.obj: suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo -c -o suites/libstrongswan_tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/libstrongswan_tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` -suites/tests-test_enum.o: suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hashtable.o: suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo -c -o suites/libstrongswan_tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/libstrongswan_tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c -suites/tests-test_enum.obj: suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hashtable.obj: suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo -c -o suites/libstrongswan_tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/libstrongswan_tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` -suites/tests-test_hashtable.o: suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_identification.o: suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo -c -o suites/libstrongswan_tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/libstrongswan_tests-test_identification.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c -suites/tests-test_hashtable.obj: suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_identification.obj: suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo -c -o suites/libstrongswan_tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/libstrongswan_tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` -suites/tests-test_identification.o: suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_traffic_selector.o: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo -c -o suites/libstrongswan_tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/libstrongswan_tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c -suites/tests-test_identification.obj: suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_traffic_selector.obj: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo -c -o suites/libstrongswan_tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/libstrongswan_tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` -suites/tests-test_traffic_selector.o: suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_threading.o: suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo -c -o suites/libstrongswan_tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/libstrongswan_tests-test_threading.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c -suites/tests-test_traffic_selector.obj: suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_threading.obj: suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo -c -o suites/libstrongswan_tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/libstrongswan_tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` -suites/tests-test_threading.o: suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_process.o: suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_process.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo -c -o suites/libstrongswan_tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/libstrongswan_tests-test_process.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c -suites/tests-test_threading.obj: suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_process.obj: suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_process.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo -c -o suites/libstrongswan_tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/libstrongswan_tests-test_process.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` -suites/tests-test_process.o: suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_process.o -MD -MP -MF suites/$(DEPDIR)/tests-test_process.Tpo -c -o suites/tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_process.Tpo suites/$(DEPDIR)/tests-test_process.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/tests-test_process.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_watcher.o: suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo -c -o suites/libstrongswan_tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/libstrongswan_tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c -suites/tests-test_process.obj: suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_process.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_process.Tpo -c -o suites/tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_process.Tpo suites/$(DEPDIR)/tests-test_process.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/tests-test_process.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_watcher.obj: suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo -c -o suites/libstrongswan_tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/libstrongswan_tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` -suites/tests-test_watcher.o: suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_stream.o: suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo -c -o suites/libstrongswan_tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/libstrongswan_tests-test_stream.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c -suites/tests-test_watcher.obj: suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_stream.obj: suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo -c -o suites/libstrongswan_tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/libstrongswan_tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` -suites/tests-test_stream.o: suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_fetch_http.o: suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo -c -o suites/libstrongswan_tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/libstrongswan_tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c -suites/tests-test_stream.obj: suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_fetch_http.obj: suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo -c -o suites/libstrongswan_tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/libstrongswan_tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` -suites/tests-test_fetch_http.o: suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_utils.o: suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo -c -o suites/libstrongswan_tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/libstrongswan_tests-test_utils.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c -suites/tests-test_fetch_http.obj: suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_utils.obj: suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo -c -o suites/libstrongswan_tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/libstrongswan_tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` -suites/tests-test_utils.o: suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_settings.o: suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo -c -o suites/libstrongswan_tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/libstrongswan_tests-test_settings.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c -suites/tests-test_utils.obj: suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_settings.obj: suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo -c -o suites/libstrongswan_tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/libstrongswan_tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` -suites/tests-test_settings.o: suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_vectors.o: suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo -c -o suites/libstrongswan_tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/libstrongswan_tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c -suites/tests-test_settings.obj: suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_vectors.obj: suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo -c -o suites/libstrongswan_tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/libstrongswan_tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` -suites/tests-test_vectors.o: suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_array.o: suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo -c -o suites/libstrongswan_tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_array.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/libstrongswan_tests-test_array.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c -suites/tests-test_vectors.obj: suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_array.obj: suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo -c -o suites/libstrongswan_tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_array.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/libstrongswan_tests-test_array.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` -suites/tests-test_array.o: suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ecdsa.o: suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo -c -o suites/libstrongswan_tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/libstrongswan_tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c -suites/tests-test_array.obj: suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ecdsa.obj: suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo -c -o suites/libstrongswan_tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/libstrongswan_tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` -suites/tests-test_ecdsa.o: suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_rsa.o: suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo -c -o suites/libstrongswan_tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/libstrongswan_tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c -suites/tests-test_ecdsa.obj: suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_rsa.obj: suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo -c -o suites/libstrongswan_tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/libstrongswan_tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` -suites/tests-test_rsa.o: suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certpolicy.o: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo -c -o suites/libstrongswan_tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/libstrongswan_tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c -suites/tests-test_rsa.obj: suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certpolicy.obj: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo -c -o suites/libstrongswan_tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/libstrongswan_tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` -suites/tests-test_certpolicy.o: suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certnames.o: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo -c -o suites/libstrongswan_tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/libstrongswan_tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c -suites/tests-test_certpolicy.obj: suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certnames.obj: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo -c -o suites/libstrongswan_tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/libstrongswan_tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` -suites/tests-test_certnames.o: suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_host.o: suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo -c -o suites/libstrongswan_tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_host.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/libstrongswan_tests-test_host.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c -suites/tests-test_certnames.obj: suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_host.obj: suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo -c -o suites/libstrongswan_tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_host.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/libstrongswan_tests-test_host.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` -suites/tests-test_host.o: suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_auth_cfg.o: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo -c -o suites/libstrongswan_tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/libstrongswan_tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c -suites/tests-test_host.obj: suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_auth_cfg.obj: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo -c -o suites/libstrongswan_tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/libstrongswan_tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` -suites/tests-test_auth_cfg.o: suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hasher.o: suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo -c -o suites/libstrongswan_tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/libstrongswan_tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c -suites/tests-test_auth_cfg.obj: suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hasher.obj: suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo -c -o suites/libstrongswan_tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/libstrongswan_tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` -suites/tests-test_hasher.o: suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypter.o: suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo -c -o suites/libstrongswan_tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/libstrongswan_tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c -suites/tests-test_hasher.obj: suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/libstrongswan_tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` -suites/tests-test_crypter.o: suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/libstrongswan_tests-test_crypto_factory.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c -suites/tests-test_crypter.obj: suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypto_factory.obj: suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/libstrongswan_tests-test_crypto_factory.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` -suites/tests-test_crypto_factory.o: suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypto_factory.Tpo -c -o suites/tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypto_factory.Tpo suites/$(DEPDIR)/tests-test_crypto_factory.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/tests-test_crypto_factory.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_iv_gen.o: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo -c -o suites/libstrongswan_tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/libstrongswan_tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c -suites/tests-test_crypto_factory.obj: suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypto_factory.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypto_factory.Tpo -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypto_factory.Tpo suites/$(DEPDIR)/tests-test_crypto_factory.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/tests-test_crypto_factory.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_iv_gen.obj: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo -c -o suites/libstrongswan_tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/libstrongswan_tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` -suites/tests-test_iv_gen.o: suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_pen.o: suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo -c -o suites/libstrongswan_tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/libstrongswan_tests-test_pen.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c -suites/tests-test_iv_gen.obj: suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_pen.obj: suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo -c -o suites/libstrongswan_tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/libstrongswan_tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` -suites/tests-test_pen.o: suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1.o: suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo -c -o suites/libstrongswan_tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/libstrongswan_tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c -suites/tests-test_pen.obj: suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1.obj: suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo -c -o suites/libstrongswan_tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/libstrongswan_tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` -suites/tests-test_asn1.o: suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1_parser.o: suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo -c -o suites/libstrongswan_tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/libstrongswan_tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c -suites/tests-test_asn1.obj: suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1_parser.obj: suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo -c -o suites/libstrongswan_tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/libstrongswan_tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` -suites/tests-test_asn1_parser.o: suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_printf.o: suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo -c -o suites/libstrongswan_tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/libstrongswan_tests-test_printf.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c -suites/tests-test_asn1_parser.obj: suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_printf.obj: suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo -c -o suites/libstrongswan_tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/libstrongswan_tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` -suites/tests-test_printf.o: suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_test_rng.o: suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo -c -o suites/libstrongswan_tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/libstrongswan_tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c -suites/tests-test_printf.obj: suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_test_rng.obj: suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo -c -o suites/libstrongswan_tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/libstrongswan_tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` -suites/tests-test_test_rng.o: suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_mgf1.o: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo -c -o suites/libstrongswan_tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/libstrongswan_tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c -suites/tests-test_test_rng.obj: suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_mgf1.obj: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo -c -o suites/libstrongswan_tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/libstrongswan_tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` -suites/tests-test_mgf1.o: suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ntru.o: suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo -c -o suites/libstrongswan_tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/libstrongswan_tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c -suites/tests-test_mgf1.obj: suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ntru.obj: suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo -c -o suites/libstrongswan_tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/libstrongswan_tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` -suites/tests-test_ntru.o: suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ed25519.o: suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed25519.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo -c -o suites/libstrongswan_tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/libstrongswan_tests-test_ed25519.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c -suites/tests-test_ntru.obj: suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ed25519.obj: suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed25519.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/libstrongswan_tests-test_ed25519.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` -suites/tests-test_ed25519.o: suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_signature_params.o: suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_signature_params.c' object='suites/libstrongswan_tests-test_signature_params.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c -suites/tests-test_ed25519.obj: suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_signature_params.obj: suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.obj `if test -f 'suites/test_signature_params.c'; then $(CYGPATH_W) 'suites/test_signature_params.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_signature_params.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_signature_params.c' object='suites/libstrongswan_tests-test_signature_params.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_signature_params.obj `if test -f 'suites/test_signature_params.c'; then $(CYGPATH_W) 'suites/test_signature_params.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_signature_params.c'; fi` mostlyclean-libtool: -rm -f *.lo diff --git a/src/libstrongswan/tests/suites/test_asn1.c b/src/libstrongswan/tests/suites/test_asn1.c index fa02df9ca..d7fb7c2a9 100644 --- a/src/libstrongswan/tests/suites/test_asn1.c +++ b/src/libstrongswan/tests/suites/test_asn1.c @@ -758,13 +758,10 @@ END_TEST START_TEST(test_asn1_parse_integer_uint64) { - typedef struct { + struct { uint64_t n; chunk_t chunk; - } testdata_t; - - - testdata_t test[] = { + } test[] = { { 67305985ULL, chunk_from_chars( 0x04, 0x03, 0x02, 0x01) }, { 578437695752307201ULL, chunk_from_chars( @@ -782,6 +779,37 @@ START_TEST(test_asn1_parse_integer_uint64) } END_TEST +/******************************************************************************* + * integer_from_uint64 + */ + +START_TEST(test_asn1_integer_from_uint64) +{ + struct { + uint64_t n; + chunk_t chunk; + } test[] = { + { 0ULL, chunk_from_chars(0x00) }, + { 255ULL, chunk_from_chars(0xff) }, + { 256ULL, chunk_from_chars(0x01, 0x00) }, + { 67305985ULL, chunk_from_chars(0x04, 0x03, 0x02, 0x01) }, + { 578437695752307201ULL, chunk_from_chars( + 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01) }, + { 18446744073709551615ULL, chunk_from_chars( + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff) }, + }; + chunk_t asn; + int i; + + for (i = 0; i < countof(test); i++) + { + asn = asn1_integer_from_uint64(test[i].n); + ck_assert_chunk_eq(test[i].chunk, asn); + chunk_free(&asn); + } +} +END_TEST + Suite *asn1_suite_create() { Suite *s; @@ -861,8 +889,9 @@ Suite *asn1_suite_create() tcase_add_test(tc, test_asn1_integer); suite_add_tcase(s, tc); - tc = tcase_create("parse_integer_uint64"); + tc = tcase_create("integer_uint64"); tcase_add_test(tc, test_asn1_parse_integer_uint64); + tcase_add_test(tc, test_asn1_integer_from_uint64); suite_add_tcase(s, tc); return s; diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c index 139b73021..d0fa8a045 100644 --- a/src/libstrongswan/tests/suites/test_auth_cfg.c +++ b/src/libstrongswan/tests/suites/test_auth_cfg.c @@ -45,7 +45,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, { enumerator_t *enumerator; auth_rule_t t; - void *value; + signature_params_t *value; int i = 0; enumerator = cfg->create_enumerator(cfg); @@ -54,7 +54,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, if (t == type) { ck_assert(expected[i]); - ck_assert_int_eq(expected[i], (signature_scheme_t)value); + ck_assert_int_eq(expected[i], value->scheme); i++; } } @@ -106,6 +106,102 @@ START_TEST(test_ike_contraints_fallback) } END_TEST +typedef union { + rsa_pss_params_t pss; +} signature_param_types_t; + +struct { + char *constraints; + signature_scheme_t sig[5]; + signature_param_types_t p[5]; +} sig_constraints_params_tests[] = { + { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}}, + { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, { + {}, + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa/pss", { 0 }, {}}, +}; + +static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type, + signature_scheme_t scheme[], + signature_param_types_t p[]) +{ + enumerator_t *enumerator; + auth_rule_t t; + signature_params_t *value; + int i = 0; + + enumerator = cfg->create_enumerator(cfg); + while (enumerator->enumerate(enumerator, &t, &value)) + { + if (t == type) + { + if (scheme[i] == SIGN_RSA_EMSA_PSS) + { + signature_params_t expected = { + .scheme = scheme[i], + .params = &p[i].pss, + }; + ck_assert(signature_params_equal(value, &expected)); + } + else + { + ck_assert(scheme[i]); + ck_assert(!value->params); + ck_assert_int_eq(scheme[i], value->scheme); + } + i++; + } + } + enumerator->destroy(enumerator); + ck_assert(!scheme[i]); +} + +START_TEST(test_sig_contraints_params) +{ + auth_cfg_t *cfg; + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE); + check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, + sig_constraints_params_tests[_i].sig, + sig_constraints_params_tests[_i].p); + cfg->destroy(cfg); +} +END_TEST + +struct { + char *constraints; + signature_scheme_t sig[6]; + signature_param_types_t p[6]; +} sig_constraints_rsa_pss_tests[] = { + { "pubkey-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}, {}, {}, {}}}, + { "rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}}}, +}; + +START_TEST(test_sig_contraints_rsa_pss) +{ + auth_cfg_t *cfg; + + lib->settings->set_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_rsa_pss_tests[_i].constraints, TRUE); + check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, + sig_constraints_rsa_pss_tests[_i].sig, + sig_constraints_rsa_pss_tests[_i].p); + cfg->destroy(cfg); +} +END_TEST + Suite *auth_cfg_suite_create() { Suite *s; @@ -118,5 +214,10 @@ Suite *auth_cfg_suite_create() tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests)); suite_add_tcase(s, tc); + tc = tcase_create("add_pubkey_constraints parameters"); + tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests)); + tcase_add_loop_test(tc, test_sig_contraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_ecdsa.c b/src/libstrongswan/tests/suites/test_ecdsa.c index 3c842996d..6edae81ae 100644 --- a/src/libstrongswan/tests/suites/test_ecdsa.c +++ b/src/libstrongswan/tests/suites/test_ecdsa.c @@ -57,9 +57,9 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey) { continue; } - fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig), + fail_unless(privkey->sign(privkey, schemes[i].scheme, NULL, data, &sig), "sign %N", signature_scheme_names, schemes[i].scheme); - fail_unless(pubkey->verify(pubkey, schemes[i].scheme, data, sig), + fail_unless(pubkey->verify(pubkey, schemes[i].scheme, NULL, data, sig), "verify %N", signature_scheme_names, schemes[i].scheme); free(sig.ptr); } @@ -121,7 +121,8 @@ static void test_bad_sigs(public_key_t *pubkey) for (i = 0; i < countof(invalid_sigs); i++) { fail_if( - pubkey->verify(pubkey, schemes[s].scheme, data, invalid_sigs[i]), + pubkey->verify(pubkey, schemes[s].scheme, NULL, data, + invalid_sigs[i]), "bad %N sig accepted %B", signature_scheme_names, schemes[s].scheme, &invalid_sigs[i]); diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c index 00842628d..86cbb1bc0 100644 --- a/src/libstrongswan/tests/suites/test_ed25519.c +++ b/src/libstrongswan/tests/suites/test_ed25519.c @@ -297,13 +297,13 @@ START_TEST(test_ed25519_sign) ck_assert(public->equals(public, pubkey)); /* sign */ - ck_assert(key->sign(key, SIGN_ED25519, sig_tests[_i].msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig)); ck_assert(sig.len == 64); ck_assert(chunk_equals(sig, sig_tests[_i].sig)); /* verify */ - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, sig_tests[_i].msg, - sig_tests[_i].sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg, + sig_tests[_i].sig)); /* cleanup */ key->destroy(key); @@ -340,10 +340,10 @@ START_TEST(test_ed25519_gen) ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL)); /* wrong signature scheme */ - ck_assert(!key->sign(key, SIGN_ED448, msg, &sig)); + ck_assert(!key->sign(key, SIGN_ED448, NULL, msg, &sig)); /* correct signature scheme*/ - ck_assert(key->sign(key, SIGN_ED25519, msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig)); /* export public key */ pubkey = key->get_public_key(key); @@ -375,10 +375,10 @@ START_TEST(test_ed25519_gen) ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL)); /* verify with wrong signature scheme */ - ck_assert(!pubkey->verify(pubkey, SIGN_ED448, msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig)); /* verify with correct signature scheme */ - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig)); /* cleanup */ key->destroy(key); @@ -404,10 +404,10 @@ START_TEST(test_ed25519_speed) key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519, BUILD_KEY_SIZE, 256, BUILD_END); ck_assert(key != NULL); - ck_assert(key->sign(key, SIGN_ED25519, msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig)); pubkey = key->get_public_key(key); ck_assert(pubkey != NULL); - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig)); key->destroy(key); pubkey->destroy(pubkey); chunk_free(&sig); @@ -476,25 +476,29 @@ START_TEST(test_ed25519_fail) BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END); ck_assert(pubkey != NULL); - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, chunk_empty, chunk_empty)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty, + chunk_empty)); /* malformed signature */ sig = chunk_create(sig1, 64); memcpy(sig1, sig_tests[0].sig.ptr, 64); sig1[63] |= 0xe0; - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); /* wrong signature */ memcpy(sig1, sig_tests[0].sig.ptr, 64); sig1[0] = 0xe4; - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); /* detect all-zeroes public key */ pubkey->destroy(pubkey); pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519, BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END); ck_assert(pubkey != NULL); - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); pubkey->destroy(pubkey); } END_TEST diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c index 6a83fe777..7bf527329 100644 --- a/src/libstrongswan/tests/suites/test_hasher.c +++ b/src/libstrongswan/tests/suites/test_hasher.c @@ -90,12 +90,10 @@ START_TEST(test_hasher_sig_to_oid) } END_TEST -typedef struct { +static struct { signature_scheme_t scheme; hash_algorithm_t alg; -}hasher_sig_scheme_t; - -static hasher_sig_scheme_t sig_schemes[] = { +} sig_schemes[] = { { SIGN_UNKNOWN, HASH_UNKNOWN }, { SIGN_RSA_EMSA_PKCS1_NULL, HASH_UNKNOWN }, { SIGN_RSA_EMSA_PKCS1_MD5, HASH_MD5 }, @@ -108,6 +106,7 @@ static hasher_sig_scheme_t sig_schemes[] = { { SIGN_RSA_EMSA_PKCS1_SHA3_256, HASH_SHA3_256 }, { SIGN_RSA_EMSA_PKCS1_SHA3_384, HASH_SHA3_384 }, { SIGN_RSA_EMSA_PKCS1_SHA3_512, HASH_SHA3_512 }, + { SIGN_RSA_EMSA_PSS, HASH_UNKNOWN }, { SIGN_ECDSA_WITH_SHA1_DER, HASH_SHA1 }, { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256 }, { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384 }, @@ -124,16 +123,35 @@ static hasher_sig_scheme_t sig_schemes[] = { { SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 }, { SIGN_ED25519, HASH_IDENTITY }, { SIGN_ED448, HASH_IDENTITY }, - { 30, HASH_UNKNOWN } + { 30, HASH_UNKNOWN }, }; START_TEST(test_hasher_from_sig_scheme) { - ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) == + ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme, NULL) == sig_schemes[_i].alg); } END_TEST +static struct { + signature_scheme_t scheme; + union { + rsa_pss_params_t pss; + } p; + hash_algorithm_t alg; +} sig_schemes_params[] = { + { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA256 }, HASH_SHA256 }, + { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA512 }, + { SIGN_RSA_EMSA_PKCS1_SHA2_256, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA256 }, +}; + +START_TEST(test_hasher_from_sig_scheme_params) +{ + ck_assert(hasher_from_signature_scheme(sig_schemes_params[_i].scheme, + &sig_schemes_params[_i].p) == sig_schemes_params[_i].alg); +} +END_TEST + typedef struct { pseudo_random_function_t prf; hash_algorithm_t alg; @@ -201,9 +219,9 @@ START_TEST(test_hasher_from_integrity) size_t length; length = 0; - ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == + ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == auths[_i].alg); - ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == + ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == auths[_i].alg); ck_assert(length == auths[_i].length); } @@ -226,7 +244,7 @@ typedef struct { static hasher_ikev2_t ikev2[] = { { HASH_IDENTITY, TRUE }, - { HASH_SHA1, TRUE }, + { HASH_SHA1, FALSE }, { HASH_SHA256, TRUE }, { HASH_SHA384, TRUE }, { HASH_SHA512, TRUE }, @@ -269,6 +287,7 @@ Suite *hasher_suite_create() tc = tcase_create("from_sig_scheme"); tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes)); + tcase_add_loop_test(tc, test_hasher_from_sig_scheme_params, 0, countof(sig_schemes_params)); suite_add_tcase(s, tc); tc = tcase_create("from_prf"); diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c index 41e783521..3f6353404 100644 --- a/src/libstrongswan/tests/suites/test_rsa.c +++ b/src/libstrongswan/tests/suites/test_rsa.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -16,6 +19,7 @@ #include "test_suite.h" #include <plugins/plugin_feature.h> +#include <credentials/keys/signature_params.h> /** * Signature schemes to test @@ -28,6 +32,15 @@ static signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_RSA_EMSA_PSS, +}; +/** + * Default parameters for RSA PSS signatures + */ +static rsa_pss_params_t default_pss_params = { + .hash = HASH_SHA256, + .mgf1_hash = HASH_SHA256, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }; /** @@ -40,16 +53,24 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey) for (i = 0; i < countof(schemes); i++) { + rsa_pss_params_t *params = NULL; + if (!lib->plugins->has_feature(lib->plugins, PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i])) || !lib->plugins->has_feature(lib->plugins, PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i]))) { + warn("%N not supported, skip scheme", signature_scheme_names, + schemes[i]); continue; } - fail_unless(privkey->sign(privkey, schemes[i], data, &sig), + if (schemes[i] == SIGN_RSA_EMSA_PSS) + { + params = &default_pss_params; + } + fail_unless(privkey->sign(privkey, schemes[i], params, data, &sig), "sign %N", signature_scheme_names, schemes[i]); - fail_unless(pubkey->verify(pubkey, schemes[i], data, sig), + fail_unless(pubkey->verify(pubkey, schemes[i], params, data, sig), "verify %N", signature_scheme_names, schemes[i]); free(sig.ptr); } @@ -98,15 +119,23 @@ static void test_bad_sigs(public_key_t *pubkey) for (s = 0; s < countof(schemes); s++) { - if (!lib->plugins->has_feature(lib->plugins, - PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s]))) - { - continue; - } + rsa_pss_params_t *params = NULL; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s]))) + { + warn("%N not supported, skip scheme", signature_scheme_names, + schemes[s]); + continue; + } + if (schemes[s] == SIGN_RSA_EMSA_PSS) + { + params = &default_pss_params; + } for (i = 0; i < countof(invalid_sigs); i++) { fail_if( - pubkey->verify(pubkey, schemes[s], data, invalid_sigs[i]), + pubkey->verify(pubkey, schemes[s], params, data, invalid_sigs[i]), "bad %N sig accepted %B", signature_scheme_names, schemes[s], &invalid_sigs[i]); } @@ -373,6 +402,4770 @@ START_TEST(test_load) } END_TEST +/** + * Keys for the FIPS 186-4 SigGen PKCS#1 Ver1.5 test vectors + */ +static private_key_t *privkey_2048, *privkey_3072; +static public_key_t *pubkey_2048, *pubkey_3072; + +static void create_key(chunk_t n, chunk_t e, chunk_t d, private_key_t **privkey, + public_key_t **pubkey) +{ + *privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, + BUILD_RSA_PRIV_EXP, d, BUILD_END); + ck_assert(*privkey != NULL); + *pubkey = (*privkey)->get_public_key(*privkey); + ck_assert(*pubkey != NULL); +} + +START_SETUP(setup_keys) +{ + create_key(chunk_from_chars( + 0xce,0xa8,0x04,0x75,0x32,0x4c,0x1d,0xc8,0x34,0x78,0x27,0x81,0x8d,0xa5,0x8b,0xac, + 0x06,0x9d,0x34,0x19,0xc6,0x14,0xa6,0xea,0x1a,0xc6,0xa3,0xb5,0x10,0xdc,0xd7,0x2c, + 0xc5,0x16,0x95,0x49,0x05,0xe9,0xfe,0xf9,0x08,0xd4,0x5e,0x13,0x00,0x6a,0xdf,0x27, + 0xd4,0x67,0xa7,0xd8,0x3c,0x11,0x1d,0x1a,0x5d,0xf1,0x5e,0xf2,0x93,0x77,0x1a,0xef, + 0xb9,0x20,0x03,0x2a,0x5b,0xb9,0x89,0xf8,0xe4,0xf5,0xe1,0xb0,0x50,0x93,0xd3,0xf1, + 0x30,0xf9,0x84,0xc0,0x7a,0x77,0x2a,0x36,0x83,0xf4,0xdc,0x6f,0xb2,0x8a,0x96,0x81, + 0x5b,0x32,0x12,0x3c,0xcd,0xd1,0x39,0x54,0xf1,0x9d,0x5b,0x8b,0x24,0xa1,0x03,0xe7, + 0x71,0xa3,0x4c,0x32,0x87,0x55,0xc6,0x5e,0xd6,0x4e,0x19,0x24,0xff,0xd0,0x4d,0x30, + 0xb2,0x14,0x2c,0xc2,0x62,0xf6,0xe0,0x04,0x8f,0xef,0x6d,0xbc,0x65,0x2f,0x21,0x47, + 0x9e,0xa1,0xc4,0xb1,0xd6,0x6d,0x28,0xf4,0xd4,0x6e,0xf7,0x18,0x5e,0x39,0x0c,0xbf, + 0xa2,0xe0,0x23,0x80,0x58,0x2f,0x31,0x88,0xbb,0x94,0xeb,0xbf,0x05,0xd3,0x14,0x87, + 0xa0,0x9a,0xff,0x01,0xfc,0xbb,0x4c,0xd4,0xbf,0xd1,0xf0,0xa8,0x33,0xb3,0x8c,0x11, + 0x81,0x3c,0x84,0x36,0x0b,0xb5,0x3c,0x7d,0x44,0x81,0x03,0x1c,0x40,0xba,0xd8,0x71, + 0x3b,0xb6,0xb8,0x35,0xcb,0x08,0x09,0x8e,0xd1,0x5b,0xa3,0x1e,0xe4,0xba,0x72,0x8a, + 0x8c,0x8e,0x10,0xf7,0x29,0x4e,0x1b,0x41,0x63,0xb7,0xae,0xe5,0x72,0x77,0xbf,0xd8, + 0x81,0xa6,0xf9,0xd4,0x3e,0x02,0xc6,0x92,0x5a,0xa3,0xa0,0x43,0xfb,0x7f,0xb7,0x8d), + chunk_from_chars( + 0x26,0x04,0x45), + chunk_from_chars( + 0x09,0x97,0x63,0x4c,0x47,0x7c,0x1a,0x03,0x9d,0x44,0xc8,0x10,0xb2,0xaa,0xa3,0xc7, + 0x86,0x2b,0x0b,0x88,0xd3,0x70,0x82,0x72,0xe1,0xe1,0x5f,0x66,0xfc,0x93,0x89,0x70, + 0x9f,0x8a,0x11,0xf3,0xea,0x6a,0x5a,0xf7,0xef,0xfa,0x2d,0x01,0xc1,0x89,0xc5,0x0f, + 0x0d,0x5b,0xcb,0xe3,0xfa,0x27,0x2e,0x56,0xcf,0xc4,0xa4,0xe1,0xd3,0x88,0xa9,0xdc, + 0xd6,0x5d,0xf8,0x62,0x89,0x02,0x55,0x6c,0x8b,0x6b,0xb6,0xa6,0x41,0x70,0x9b,0x5a, + 0x35,0xdd,0x26,0x22,0xc7,0x3d,0x46,0x40,0xbf,0xa1,0x35,0x9d,0x0e,0x76,0xe1,0xf2, + 0x19,0xf8,0xe3,0x3e,0xb9,0xbd,0x0b,0x59,0xec,0x19,0x8e,0xb2,0xfc,0xca,0xae,0x03, + 0x46,0xbd,0x8b,0x40,0x1e,0x12,0xe3,0xc6,0x7c,0xb6,0x29,0x56,0x9c,0x18,0x5a,0x2e, + 0x0f,0x35,0xa2,0xf7,0x41,0x64,0x4c,0x1c,0xca,0x5e,0xbb,0x13,0x9d,0x77,0xa8,0x9a, + 0x29,0x53,0xfc,0x5e,0x30,0x04,0x8c,0x0e,0x61,0x9f,0x07,0xc8,0xd2,0x1d,0x1e,0x56, + 0xb8,0xaf,0x07,0x19,0x3d,0x0f,0xdf,0x3f,0x49,0xcd,0x49,0xf2,0xef,0x31,0x38,0xb5, + 0x13,0x88,0x62,0xf1,0x47,0x0b,0xd2,0xd1,0x6e,0x34,0xa2,0xb9,0xe7,0x77,0x7a,0x6c, + 0x8c,0x8d,0x4c,0xb9,0x4b,0x4e,0x8b,0x5d,0x61,0x6c,0xd5,0x39,0x37,0x53,0xe7,0xb0, + 0xf3,0x1c,0xc7,0xda,0x55,0x9b,0xa8,0xe9,0x8d,0x88,0x89,0x14,0xe3,0x34,0x77,0x3b, + 0xaf,0x49,0x8a,0xd8,0x8d,0x96,0x31,0xeb,0x5f,0xe3,0x2e,0x53,0xa4,0x14,0x5b,0xf0, + 0xba,0x54,0x8b,0xf2,0xb0,0xa5,0x0c,0x63,0xf6,0x7b,0x14,0xe3,0x98,0xa3,0x4b,0x0d), + &privkey_2048, &pubkey_2048); + + create_key(chunk_from_chars( + 0xdc,0xa9,0x83,0x04,0xb7,0x29,0xe8,0x19,0xb3,0x40,0xe2,0x6c,0xec,0xb7,0x30,0xae, + 0xcb,0xd8,0x93,0x0e,0x33,0x4c,0x73,0x14,0x93,0xb1,0x80,0xde,0x97,0x0e,0x6d,0x3b, + 0xc5,0x79,0xf8,0x6c,0x8d,0x5d,0x03,0x2f,0x8c,0xd3,0x3c,0x43,0x97,0xee,0x7f,0xfd, + 0x01,0x9d,0x51,0xb0,0xa7,0xdb,0xe4,0xf5,0x25,0x05,0xa1,0xa3,0x4a,0xe3,0x5d,0x23, + 0xcf,0xaa,0xf5,0x94,0x41,0x9d,0x50,0x9f,0x46,0x9b,0x13,0x69,0x58,0x9f,0x9c,0x86, + 0x16,0xa7,0xd6,0x98,0x51,0x3b,0xc1,0xd4,0x23,0xd7,0x00,0x70,0xd3,0xd7,0x2b,0x99, + 0x6c,0x23,0xab,0xe6,0x8b,0x22,0xcc,0xc3,0x9a,0xab,0xd1,0x65,0x07,0x12,0x40,0x42, + 0xc8,0x8d,0x4d,0xa6,0xa7,0x45,0x12,0x88,0xec,0x87,0xc9,0x24,0x4b,0xe2,0x26,0xaa, + 0xc0,0x2d,0x18,0x17,0x68,0x2f,0x80,0xcc,0x34,0xc6,0xea,0xf3,0x7e,0xc8,0x4d,0x24, + 0x7a,0xae,0xde,0xbb,0x56,0xc3,0xbb,0xca,0xff,0xb5,0xcf,0x42,0xf6,0x1f,0xe1,0xb7, + 0xf3,0xfc,0x89,0x74,0x8e,0x21,0x39,0x73,0xbf,0x5f,0x67,0x9d,0x8b,0x8b,0x42,0xa4, + 0x7a,0xc4,0xaf,0xd9,0xe5,0x1e,0x1d,0x12,0x14,0xdf,0xe1,0xa7,0xe1,0x16,0x90,0x80, + 0xbd,0x9a,0xd9,0x17,0x58,0xf6,0xc0,0xf9,0xb2,0x2a,0xe4,0x0a,0xf6,0xb4,0x14,0x03, + 0xd8,0xf2,0xd9,0x6d,0xb5,0xa0,0x88,0xda,0xa5,0xef,0x86,0x83,0xf8,0x6f,0x50,0x1f, + 0x7a,0xd3,0xf3,0x58,0xb6,0x33,0x7d,0xa5,0x5c,0x6c,0xfc,0x00,0x31,0x97,0x42,0x0c, + 0x1c,0x75,0xab,0xdb,0x7b,0xe1,0x40,0x3e,0xa4,0xf3,0xe6,0x42,0x59,0xf5,0xc6,0xda, + 0x33,0x25,0xbb,0x87,0xd6,0x05,0xb6,0xe1,0x4b,0x53,0x50,0xe6,0xe1,0x45,0x5c,0x9d, + 0x49,0x7d,0x81,0x04,0x66,0x08,0xe3,0x87,0x95,0xdc,0x85,0xab,0xa4,0x06,0xc9,0xde, + 0x1f,0x4f,0x99,0x90,0xd5,0x15,0x3b,0x98,0xbb,0xab,0xbd,0xcb,0xd6,0xbb,0x18,0x85, + 0x43,0x12,0xb2,0xda,0x48,0xb4,0x11,0xe8,0x38,0xf2,0x6a,0xe3,0x10,0x9f,0x10,0x4d, + 0xfd,0x16,0x19,0xf9,0x91,0x82,0x4e,0xc8,0x19,0x86,0x1e,0x51,0x99,0xf2,0x6b,0xb9, + 0xb3,0xb2,0x99,0xbf,0xa9,0xec,0x2f,0xd6,0x91,0x27,0x1b,0x58,0xa8,0xad,0xec,0xbf, + 0x0f,0xf6,0x27,0xb5,0x43,0x36,0xf3,0xdf,0x70,0x03,0xd7,0x0e,0x37,0xd1,0x1d,0xdb, + 0xd9,0x30,0xd9,0xab,0xa7,0xe8,0x8e,0xd4,0x01,0xac,0xb4,0x40,0x92,0xfd,0x53,0xd5), + chunk_from_chars( + 0xea,0xf0,0x5d), + chunk_from_chars( + 0x2d,0x6d,0xb9,0x1e,0xb3,0x2e,0x36,0xe5,0xd5,0x12,0x7d,0xeb,0x03,0x4d,0x14,0x07, + 0x2f,0xe6,0x0c,0x1c,0xd1,0x3c,0x8c,0x3d,0xd9,0xad,0xbc,0x87,0x14,0x0b,0x5e,0x71, + 0x36,0xf4,0xf8,0x9e,0x61,0xbb,0xee,0x78,0x26,0xf4,0x5a,0xc1,0xd9,0x91,0x94,0xfb, + 0xaa,0x8c,0x5a,0x0b,0xb9,0x4d,0xb3,0x1d,0x93,0x72,0x3b,0x51,0x41,0x9d,0x9c,0x6f, + 0x6e,0xeb,0x5f,0x36,0x10,0xb6,0x7f,0x4b,0x4e,0x2a,0xde,0x05,0xcc,0x6b,0x89,0x90, + 0xe8,0x83,0x2c,0xf4,0xcd,0x40,0xf2,0xdf,0x03,0x88,0xc9,0xa5,0x20,0x72,0xe2,0x7e, + 0xfe,0xba,0xe2,0x0b,0x4a,0xd5,0x95,0x1f,0x4d,0x20,0xdd,0x18,0x94,0x3e,0x58,0xb7, + 0x86,0xd8,0x79,0x76,0x52,0xb2,0xbb,0x75,0x9c,0x31,0x9d,0x2b,0x00,0x46,0xdb,0xf6, + 0x9c,0x53,0xc0,0x75,0xd0,0x0c,0x28,0x7b,0x87,0x60,0x42,0xfa,0xfa,0x23,0xfe,0x4d, + 0xd7,0x05,0xe4,0xe4,0x23,0x27,0x7c,0x90,0x00,0x31,0x1e,0x94,0xea,0x3f,0x74,0x56, + 0xe3,0x2f,0xd1,0x2a,0xfe,0x4a,0x2b,0xde,0x35,0x8a,0x65,0x82,0x4f,0x10,0x55,0x06, + 0x48,0x23,0xc8,0x93,0xfc,0x93,0xbe,0x3b,0x8c,0x65,0x8b,0xb4,0x41,0xd7,0xf0,0xb0, + 0x0a,0xc2,0x46,0xbf,0x04,0x3a,0x9c,0x00,0x53,0xd3,0x19,0xf0,0x03,0xef,0x5a,0x55, + 0x33,0xf7,0x4d,0x63,0x0d,0x8c,0xe9,0x3b,0xab,0x41,0x6a,0x82,0x95,0x1e,0x05,0xb8, + 0x2c,0x60,0x36,0x59,0x3e,0xca,0x89,0xf0,0xeb,0xac,0xd7,0xd5,0x1e,0xd9,0x61,0x0a, + 0xf4,0x35,0x37,0xfc,0xd2,0x66,0xe5,0xe4,0x7c,0x0d,0x25,0xfe,0xda,0xd6,0xd0,0x47, + 0xa1,0xa1,0xee,0x3e,0xb4,0x44,0x36,0x7e,0x3e,0xff,0x7c,0x75,0x20,0xca,0x4f,0x77, + 0x9f,0x20,0x27,0xfe,0x45,0x03,0x62,0x04,0x16,0x84,0x54,0xdf,0x49,0x18,0xb5,0x47, + 0xa4,0xd1,0x9e,0x93,0x8f,0x3c,0x6d,0xb6,0xca,0x27,0x02,0xad,0x9b,0xbd,0xa1,0x26, + 0x1c,0x64,0xd0,0x0b,0x57,0x82,0x85,0xbd,0xcf,0xc9,0x85,0x1f,0x96,0xa4,0xf2,0xcd, + 0x14,0xd6,0x6b,0x9c,0x1f,0x65,0x74,0x2a,0x13,0x44,0x94,0x8c,0x9f,0x1d,0xa8,0xd3, + 0x38,0xed,0x4e,0x3d,0xeb,0x1e,0xba,0xdf,0x11,0xf8,0xc2,0x81,0x94,0x4e,0x88,0x49, + 0x82,0x34,0x96,0xf8,0x61,0x11,0xf3,0x78,0xbd,0xd0,0x84,0xc9,0x9f,0x65,0xfb,0x9b, + 0x4e,0xe6,0x27,0x1b,0x1d,0x1b,0xe4,0x24,0xc2,0x94,0xd1,0x85,0xd9,0xfd,0x9c,0xdf), + &privkey_3072, &pubkey_3072); +} +END_SETUP + +START_TEARDOWN(teardown_keys) +{ + pubkey_2048->destroy(pubkey_2048); + privkey_2048->destroy(privkey_2048); + pubkey_3072->destroy(pubkey_3072); + privkey_3072->destroy(privkey_3072); +} +END_TEARDOWN + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + signature_scheme_t scheme; + chunk_t m; + chunk_t s; +} pkcs15_2048[] = { + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x5a,0xf2,0x83,0xb1,0xb7,0x6a,0xb2,0xa6,0x95,0xd7,0x94,0xc2,0x3b,0x35,0xca,0x73, + 0x71,0xfc,0x77,0x9e,0x92,0xeb,0xf5,0x89,0xe3,0x04,0xc7,0xf9,0x23,0xd8,0xcf,0x97, + 0x63,0x04,0xc1,0x98,0x18,0xfc,0xd8,0x9d,0x6f,0x07,0xc8,0xd8,0xe0,0x8b,0xf3,0x71, + 0x06,0x8b,0xdf,0x28,0xae,0x6e,0xe8,0x3b,0x2e,0x02,0x32,0x8a,0xf8,0xc0,0xe2,0xf9, + 0x6e,0x52,0x8e,0x16,0xf8,0x52,0xf1,0xfc,0x54,0x55,0xe4,0x77,0x2e,0x28,0x8a,0x68, + 0xf1,0x59,0xca,0x6b,0xdc,0xf9,0x02,0xb8,0x58,0xa1,0xf9,0x47,0x89,0xb3,0x16,0x38, + 0x23,0xe2,0xd0,0x71,0x7f,0xf5,0x66,0x89,0xee,0xc7,0xd0,0xe5,0x4d,0x93,0xf5,0x20, + 0xd9,0x6e,0x1e,0xb0,0x45,0x15,0xab,0xc7,0x0a,0xe9,0x05,0x78,0xff,0x38,0xd3,0x1b), + .s = chunk_from_chars( + 0x6b,0x8b,0xe9,0x7d,0x9e,0x51,0x8a,0x2e,0xde,0x74,0x6f,0xf4,0xa7,0xd9,0x1a,0x84, + 0xa1,0xfc,0x66,0x5b,0x52,0xf1,0x54,0xa9,0x27,0x65,0x0d,0xb6,0xe7,0x34,0x8c,0x69, + 0xf8,0xc8,0x88,0x1f,0x7b,0xcf,0x9b,0x1a,0x6d,0x33,0x66,0xee,0xd3,0x0c,0x3a,0xed, + 0x4e,0x93,0xc2,0x03,0xc4,0x3f,0x55,0x28,0xa4,0x5d,0xe7,0x91,0x89,0x57,0x47,0xad, + 0xe9,0xc5,0xfa,0x5e,0xee,0x81,0x42,0x7e,0xde,0xe0,0x20,0x82,0x14,0x7a,0xa3,0x11, + 0x71,0x2a,0x6a,0xd5,0xfb,0x17,0x32,0xe9,0x3b,0x3d,0x6c,0xd2,0x3f,0xfd,0x46,0xa0, + 0xb3,0xca,0xf6,0x2a,0x8b,0x69,0x95,0x7c,0xc6,0x8a,0xe3,0x9f,0x99,0x93,0xc1,0xa7, + 0x79,0x59,0x9c,0xdd,0xa9,0x49,0xbd,0xaa,0xba,0xbb,0x77,0xf2,0x48,0xfc,0xfe,0xaa, + 0x44,0x05,0x9b,0xe5,0x45,0x9f,0xb9,0xb8,0x99,0x27,0x8e,0x92,0x95,0x28,0xee,0x13, + 0x0f,0xac,0xd5,0x33,0x72,0xec,0xbc,0x42,0xf3,0xe8,0xde,0x29,0x98,0x42,0x58,0x60, + 0x40,0x64,0x40,0xf2,0x48,0xd8,0x17,0x43,0x2d,0xe6,0x87,0x11,0x2e,0x50,0x4d,0x73, + 0x40,0x28,0xe6,0xc5,0x62,0x0f,0xa2,0x82,0xca,0x07,0x64,0x70,0x06,0xcf,0x0a,0x2f, + 0xf8,0x3e,0x19,0xa9,0x16,0x55,0x4c,0xc6,0x18,0x10,0xc2,0xe8,0x55,0x30,0x5d,0xb4, + 0xe5,0xcf,0x89,0x3a,0x6a,0x96,0x76,0x73,0x65,0x79,0x45,0x56,0xff,0x03,0x33,0x59, + 0x08,0x4d,0x7e,0x38,0xa8,0x45,0x6e,0x68,0xe2,0x11,0x55,0xb7,0x61,0x51,0x31,0x4a, + 0x29,0x87,0x5f,0xee,0xe0,0x95,0x57,0x16,0x1c,0xbc,0x65,0x45,0x41,0xe8,0x9e,0x42), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xc4,0x30,0x11,0xf3,0xee,0x88,0xc9,0xc9,0xad,0xca,0xc8,0xbf,0x37,0x22,0x1a,0xfa, + 0x31,0x76,0x9d,0x34,0x7d,0xec,0x70,0x5e,0x53,0xac,0xa9,0x89,0x93,0xe7,0x46,0x06, + 0x59,0x18,0x67,0xcc,0xd2,0x89,0xba,0x1b,0x4f,0x19,0x36,0x5f,0x98,0x3e,0x0c,0x57, + 0x83,0x46,0xda,0x76,0xc5,0xe2,0x22,0x8a,0x07,0xe4,0xfc,0x9b,0x3d,0x48,0x07,0x16, + 0x33,0x71,0xa5,0x2b,0x68,0xb6,0x68,0x73,0x20,0x1d,0xc7,0xd6,0xb5,0x66,0x16,0xac, + 0x2e,0x4c,0xb5,0x22,0x12,0x07,0x87,0xdf,0x7f,0x15,0xa5,0xe8,0x76,0x3a,0x54,0xc1, + 0x79,0xc6,0x35,0xd6,0x58,0x16,0xbc,0x19,0x48,0x5d,0xe3,0xeb,0x35,0xa5,0x20,0x40, + 0x59,0x10,0x94,0xfe,0x0e,0x64,0x85,0xa7,0xe0,0xc6,0x0e,0x38,0xe7,0xc6,0x15,0x51), + .s = chunk_from_chars( + 0xaa,0x3a,0x4e,0x12,0xeb,0x87,0x59,0x6c,0x71,0x1c,0x9a,0x22,0xbc,0xab,0xcb,0x9d, + 0xad,0xff,0xca,0xbc,0xec,0xbd,0x16,0x22,0x88,0x89,0xe9,0xbb,0x45,0x7d,0x5d,0x22, + 0x57,0x1a,0x72,0xf0,0x34,0xbe,0x47,0x83,0x38,0x4f,0x43,0xce,0x6f,0xff,0xc6,0x05, + 0x34,0xb8,0x33,0x1c,0xdd,0x5d,0x7c,0x77,0xf4,0x91,0x80,0xbf,0xd1,0x94,0xb5,0xfd, + 0x43,0xa5,0x08,0xc6,0x6d,0x78,0x6c,0x55,0x88,0x76,0x73,0x58,0x94,0xe6,0xa9,0x30, + 0x09,0x52,0xde,0x79,0x2f,0x74,0x70,0x45,0xe7,0x4d,0x87,0xfd,0x50,0x98,0x02,0x30, + 0x70,0x7a,0x34,0xa4,0xdf,0x01,0x3c,0xe0,0x50,0xbb,0xff,0x0d,0x6f,0x57,0x08,0x85, + 0xc9,0xc7,0xbf,0x8d,0xc4,0x99,0x13,0x2c,0xae,0xe0,0x71,0xb4,0x1d,0x81,0xff,0x91, + 0xb8,0xce,0x21,0xaa,0x2f,0x28,0x2c,0xbf,0x52,0x38,0x9f,0x23,0x9a,0xfe,0x14,0x90, + 0x89,0x0b,0xe2,0x1f,0x9d,0x80,0x8b,0x3d,0x70,0xb9,0x7e,0xfd,0x59,0xc0,0xb6,0x0e, + 0x46,0x60,0x88,0xbb,0x42,0x71,0x4f,0x21,0x2b,0xc9,0x0d,0xb7,0xe9,0x42,0xeb,0xce, + 0xe6,0x0e,0x7b,0x10,0x7f,0xff,0x44,0xfb,0x35,0x64,0xff,0x07,0xd6,0xd0,0x28,0x50, + 0x21,0x5f,0xd3,0x57,0xd8,0x97,0xc4,0xd3,0x2b,0xef,0x86,0x61,0x68,0x9f,0x2d,0x84, + 0xff,0x89,0x76,0x37,0xfb,0x6d,0x55,0x68,0xa7,0x27,0x0e,0x78,0x34,0x26,0xb7,0x4b, + 0x70,0x37,0x49,0x3e,0x51,0x55,0xfd,0x7c,0xb3,0xdd,0xdd,0xfd,0x36,0xbd,0x8a,0x9c, + 0x87,0x7d,0x71,0xd2,0xa9,0x66,0x05,0x7c,0x08,0x26,0x3d,0x29,0x39,0xc8,0x49,0x87), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x61,0xd7,0xb3,0x15,0x01,0x31,0x35,0x1e,0x7b,0x4c,0x8e,0x56,0x45,0xd3,0x8b,0xe9, + 0x33,0x5b,0x40,0x28,0x9a,0xf3,0x4c,0xc6,0xb6,0xfc,0x5e,0x48,0x49,0x3b,0xf8,0xb7, + 0x85,0x2c,0x73,0x98,0x2c,0x99,0x44,0x1e,0xf6,0x6c,0x7d,0x9d,0x33,0xc2,0x97,0x42, + 0xb1,0x40,0x6e,0x02,0xe0,0xaa,0x8d,0xd0,0x34,0xb1,0xac,0x13,0xcb,0x0d,0x77,0x57, + 0x50,0xcc,0x91,0x42,0x1f,0xea,0xd9,0xca,0xa9,0x21,0xec,0xa6,0x1a,0x02,0xeb,0x02, + 0x3a,0x45,0x7e,0x77,0x91,0x5e,0x18,0x3a,0xcf,0x51,0x7d,0x94,0x6b,0xc6,0x82,0x92, + 0x89,0x60,0x14,0xfd,0x21,0x4b,0x7c,0x8c,0x5e,0x14,0xe1,0x59,0x44,0xbe,0x0f,0x92, + 0x96,0x12,0x77,0x71,0xf7,0x36,0x76,0x6e,0x4f,0x81,0xda,0xb3,0x70,0x8e,0xa2,0xd0), + .s = chunk_from_chars( + 0x84,0xe9,0x2a,0x14,0x5a,0xe6,0xbe,0x1f,0xf9,0x24,0x2d,0x9e,0xd2,0xd6,0x8d,0xe6, + 0x68,0xe8,0x02,0x52,0x4e,0x8a,0xc0,0xa7,0x9d,0xe6,0x2f,0xe7,0x40,0x48,0xc3,0x54, + 0x91,0xfd,0x2f,0xfd,0xb1,0x85,0x05,0x7e,0x66,0x6d,0xbf,0xaa,0xc8,0x4c,0x34,0xfd, + 0xe7,0x89,0x12,0x63,0xf8,0xb2,0xbc,0x74,0x74,0x62,0x30,0x32,0x0f,0x67,0xa7,0xbd, + 0x73,0x19,0xc9,0xb9,0xde,0x41,0x90,0x54,0x70,0x14,0xe2,0xd7,0xa2,0xa5,0x06,0x0d, + 0x62,0x00,0xaa,0xdc,0x3a,0x44,0xba,0xc0,0x29,0xff,0x39,0x92,0xed,0xd3,0x0e,0xc5, + 0x3a,0xb0,0xd9,0x12,0x3e,0xaa,0x6b,0x14,0x73,0x52,0xa0,0x73,0xa9,0x81,0x61,0xe6, + 0x4f,0x39,0x4b,0xb9,0x94,0x92,0xc6,0x97,0x7e,0x24,0xf4,0x45,0xc7,0x12,0x5b,0xfb, + 0x90,0xf8,0x7f,0xaf,0x26,0x22,0x72,0x13,0x4a,0xcb,0x18,0x82,0x3a,0x99,0xa5,0x22, + 0x8d,0x14,0x95,0x46,0x32,0x97,0xfd,0x77,0x48,0x77,0xfb,0x63,0xd4,0x91,0x81,0x06, + 0x34,0x7e,0x6f,0x29,0x31,0x5e,0x48,0x36,0x3f,0x39,0xb3,0x32,0x99,0xea,0xa3,0x2d, + 0x8d,0xa7,0x1b,0x22,0x9d,0x8f,0xfe,0xe5,0xf6,0x6f,0x72,0x2a,0xd3,0xaa,0x41,0x75, + 0xd3,0xf8,0x4e,0xce,0x9c,0xc8,0xec,0xa8,0xd6,0xf2,0xf3,0x56,0xa8,0x5c,0x15,0x24, + 0x89,0x6c,0x18,0xf7,0xb5,0xc8,0xf9,0xbc,0xde,0xf4,0x5c,0x49,0x6d,0x53,0x91,0x79, + 0x89,0x1d,0xdc,0x76,0xe5,0x20,0x8a,0xd8,0x35,0x3d,0x48,0xc6,0x24,0x05,0x4f,0x34, + 0x40,0xee,0xba,0x44,0x32,0xa1,0x06,0x54,0xa1,0x1e,0xf5,0x37,0x83,0xbd,0x11,0x6f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xb6,0x77,0x1a,0xb0,0xe1,0x28,0xb4,0x1b,0x32,0xb8,0xb0,0x5e,0x05,0xad,0xd2,0x3c, + 0xe0,0xfb,0x87,0x7b,0x40,0xbf,0xcc,0x3b,0x99,0x2f,0x4c,0x86,0x98,0xd1,0xc8,0x28, + 0xab,0xec,0xbc,0xc1,0xc3,0x3d,0x40,0x18,0x59,0xea,0x2c,0xb2,0xaf,0xbc,0x7f,0xa4, + 0x58,0x88,0x02,0xa5,0xfa,0xee,0x28,0x67,0x53,0x46,0x39,0x28,0x7a,0xd8,0xaf,0x84, + 0x67,0x4b,0xe1,0x8d,0xb6,0x61,0xde,0x1d,0xa8,0xe1,0x9c,0x6b,0x6b,0xd4,0x52,0xdd, + 0x9b,0xf3,0x22,0x1d,0x08,0x61,0xfb,0x6f,0xba,0x96,0xbe,0x42,0x32,0x9b,0x9f,0x04, + 0xf3,0x7d,0xcf,0x3b,0x41,0xfc,0x58,0xd2,0x29,0x83,0x48,0xb0,0xc1,0x5d,0x11,0x90, + 0xb1,0x25,0x30,0x0c,0xf2,0x7e,0x0d,0xfa,0xd6,0x05,0x22,0xfc,0x49,0x84,0x60,0x53), + .s = chunk_from_chars( + 0x62,0x76,0x92,0x55,0x68,0x62,0x6f,0x0c,0xbe,0x6f,0x51,0x50,0xb0,0x50,0xe1,0x70, + 0x25,0x82,0xf8,0xda,0xf9,0x9a,0x6f,0x88,0x0e,0xf7,0x5c,0xd9,0x6c,0x2d,0x42,0x08, + 0xfb,0x6e,0x91,0xb0,0x1b,0xa6,0xab,0xa2,0xa8,0x16,0xb2,0xd3,0xcb,0x97,0x5d,0xf8, + 0x50,0xb1,0xd2,0x68,0xc4,0x66,0x2d,0xd1,0xea,0x3a,0x30,0x0c,0x1d,0x71,0x71,0xc6, + 0x33,0xdd,0x2e,0xfb,0xac,0x30,0x00,0xc5,0x6a,0xb8,0x0f,0x98,0x9d,0xbc,0x18,0x24, + 0x3e,0x63,0x6b,0xa5,0xd4,0xd2,0x6a,0x7d,0x3f,0x19,0x65,0xad,0x3c,0xb0,0xf1,0xa8, + 0x51,0x3f,0x99,0x80,0x03,0xf7,0xb6,0x7e,0x2a,0xc5,0xc7,0x18,0xcb,0x68,0x8b,0x32, + 0x01,0xd5,0x6e,0x68,0xf0,0xb9,0xf8,0x62,0x57,0xb8,0x47,0x94,0xcd,0xff,0xbc,0x1f, + 0xe3,0xea,0x24,0xb7,0xbb,0x6e,0x9e,0xf0,0x53,0x9b,0xd4,0xfb,0xc1,0xaf,0xb5,0x5b, + 0xc1,0xdc,0xa3,0x99,0x96,0xea,0x8a,0x63,0x76,0x9f,0x6e,0x22,0x57,0x07,0xf6,0x90, + 0x47,0x55,0x5e,0x1a,0x4e,0xf3,0xc6,0x39,0xc5,0xf2,0xa4,0x97,0xb8,0x89,0x42,0x4a, + 0x90,0x14,0x86,0x39,0xbb,0x64,0xdf,0x0a,0x06,0xe0,0xb7,0xf0,0xe8,0xed,0x46,0x6a, + 0x97,0x7b,0xac,0xa3,0x2f,0x48,0x23,0x37,0xb2,0xab,0xe3,0x98,0x3e,0xae,0xc3,0xfe, + 0x10,0x75,0x01,0x6e,0x58,0x67,0x52,0x17,0x60,0xfd,0x06,0x07,0xd7,0x99,0xf1,0x76, + 0x6b,0x3f,0xf6,0xe2,0xae,0x15,0x5d,0x69,0x25,0x0f,0x8b,0xf0,0x8c,0x8e,0xdc,0xa0, + 0xb4,0xf3,0x1d,0x0f,0x83,0x8c,0xfd,0x29,0x8c,0xb7,0x31,0x2d,0xf9,0x3f,0x09,0x97), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x6a,0x81,0xcb,0x6c,0x7b,0x26,0x8f,0x4b,0x9f,0xb9,0x17,0x2a,0xdb,0xbb,0x36,0xa2, + 0x37,0xa0,0xdc,0xf1,0xc3,0xc8,0x3a,0x95,0xdc,0xb0,0x27,0x1a,0xac,0x6a,0xc3,0x30, + 0xf0,0x4a,0x5a,0x00,0xfe,0xe3,0x8b,0xc0,0x06,0x31,0xa9,0x85,0x98,0x18,0x61,0x59, + 0x66,0x0d,0x9d,0x8e,0x4c,0x14,0xa9,0x52,0x8d,0xea,0x94,0x83,0x60,0x83,0xda,0xc4, + 0xab,0xb7,0x3f,0xd0,0x0e,0x38,0xfe,0x0e,0x23,0xc7,0x23,0x66,0x04,0xa7,0x36,0x54, + 0x0e,0x52,0x19,0x3a,0xe5,0x6c,0x33,0xfb,0xb8,0xf5,0xcf,0xc5,0xc7,0xc2,0xbe,0x2e, + 0x22,0x2e,0x44,0x83,0xb3,0x0d,0x32,0x5c,0x7e,0xe1,0x4f,0x74,0x28,0x51,0xfc,0xb8, + 0xb6,0xd6,0x18,0x9e,0x98,0xb8,0x22,0xb8,0xe6,0x39,0x9d,0x89,0xe9,0x0f,0xb9,0x97), + .s = chunk_from_chars( + 0xb6,0x79,0x91,0x05,0x0c,0x08,0x3e,0x64,0x50,0x97,0xdb,0x03,0xff,0xf3,0x47,0x58, + 0x86,0x8b,0xeb,0x19,0xe9,0xc0,0xc4,0x84,0x75,0xf0,0xf9,0x13,0x36,0x1e,0x71,0xd3, + 0xd6,0xf2,0x7a,0x8c,0x4f,0x0b,0x26,0x9b,0x49,0xe8,0x53,0x40,0x39,0xe5,0x3a,0xd3, + 0xba,0xb9,0xa3,0xe6,0x2a,0xbe,0x07,0x8e,0xe7,0x5e,0x7f,0xb5,0x95,0x90,0x06,0xfb, + 0xfb,0x01,0x4c,0xa7,0xb8,0x1b,0x3d,0x5a,0xfe,0x0e,0xe5,0xf6,0xfc,0x2d,0xfb,0xc4, + 0x50,0xf2,0x83,0x95,0x43,0x00,0x2f,0x33,0xf4,0xf3,0x54,0xf8,0x27,0x27,0x8c,0x76, + 0xc0,0x41,0x68,0x6e,0xea,0x78,0x86,0xeb,0xb2,0xa7,0xaf,0xa5,0x99,0x5c,0x6c,0xdd, + 0xb1,0xc0,0xb5,0x80,0x66,0xdd,0xb8,0xdc,0x54,0xa6,0x92,0x7c,0x14,0x6c,0x3b,0x2a, + 0x0f,0xa7,0xce,0xf2,0x89,0x03,0xc6,0xc6,0x72,0xbc,0x20,0xef,0x68,0xff,0xbf,0xab, + 0x24,0x7e,0xb6,0x88,0xab,0x4b,0xde,0x71,0x06,0xd9,0xc5,0x9d,0x21,0x53,0x09,0x6d, + 0xc9,0xe5,0x20,0x72,0x67,0x03,0x8d,0x88,0xe2,0x17,0x4e,0x76,0xad,0xc1,0x50,0x8a, + 0xe2,0x4e,0xb6,0x02,0x33,0x2e,0x53,0xc0,0xc2,0xe3,0x31,0x54,0xa6,0x6a,0x97,0xa0, + 0xf1,0x2f,0x66,0xc6,0x12,0x58,0xc7,0xbf,0x6b,0xbf,0x3f,0x1d,0xcb,0xe9,0xca,0xf2, + 0xfd,0x30,0xec,0x68,0xc0,0xa9,0xd0,0x9f,0x4f,0xd7,0x76,0x30,0x4b,0x54,0x0e,0x62, + 0xfc,0x85,0x12,0xbe,0xaa,0xbc,0x4b,0xe2,0x10,0x7a,0x1e,0xc1,0x8e,0x87,0xf6,0x1f, + 0x9d,0xb2,0x5e,0x87,0x1d,0xc0,0x69,0x3c,0xef,0x17,0xc2,0xa6,0x87,0xfc,0x85,0x4f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x05,0x6c,0x1e,0x46,0x44,0x59,0x9e,0x31,0x83,0xdd,0x8d,0x2f,0x64,0xe4,0xbb,0x23, + 0x52,0xff,0x00,0xd0,0x12,0xab,0x76,0x3f,0x9a,0xd6,0xe5,0x60,0x27,0x9f,0x7f,0xf3, + 0x8a,0x5e,0xce,0xa9,0xc2,0xe4,0xea,0x87,0xd0,0x04,0xef,0x8c,0xc7,0x52,0xae,0x93, + 0x23,0x2a,0xa3,0x7b,0x5b,0xf4,0x28,0x84,0xba,0xa7,0xe7,0xfc,0x6a,0x8c,0x95,0x1c, + 0xd2,0x45,0xde,0x2d,0x22,0x0d,0x9b,0xee,0x2b,0x41,0x4b,0x3a,0x75,0x20,0xc1,0xe6, + 0x8b,0xcf,0x1a,0xe9,0x9a,0x9f,0xf2,0xbf,0x3a,0x93,0xd8,0x0f,0x8c,0x1d,0xfe,0x8b, + 0x85,0x29,0x35,0x17,0x89,0x5c,0x19,0x2e,0x3c,0x9e,0x89,0x82,0x95,0xd6,0x5b,0xe3, + 0x34,0xf4,0x4d,0x62,0xf5,0x35,0x3e,0xb6,0xc5,0xa2,0x9e,0xdf,0xb4,0xdb,0x23,0x09), + .s = chunk_from_chars( + 0xae,0x05,0x20,0x4e,0x40,0x9d,0x72,0x7e,0xb9,0xe4,0xdc,0x24,0xbe,0x8f,0x86,0x33, + 0x28,0xc2,0x81,0x3d,0xa4,0xfc,0xef,0x28,0x86,0x6e,0x21,0xa5,0xda,0xb2,0x1a,0x48, + 0x53,0x21,0xb7,0x35,0x27,0x4a,0xf0,0x6b,0xf1,0x7e,0x27,0x15,0x18,0xe1,0x11,0x64, + 0xd7,0x22,0xab,0x07,0x35,0x48,0xf0,0x2e,0x1b,0x44,0x19,0x23,0xdb,0x6f,0x1c,0xee, + 0x65,0xa0,0x17,0xed,0xfb,0xaf,0x33,0x61,0xc6,0x7f,0xbc,0x2b,0x39,0xfe,0x03,0x8c, + 0xb5,0xcb,0x65,0xa6,0x40,0xf9,0x58,0x87,0x38,0x9c,0xe8,0xa5,0xad,0x2e,0xc6,0xe6, + 0x9d,0x3d,0x60,0x35,0x05,0xb0,0x25,0xf6,0xd6,0x33,0x0c,0x8b,0x64,0x88,0x02,0xca, + 0xf7,0xe6,0xfa,0x3f,0xe7,0xb3,0x81,0x41,0x65,0x99,0x86,0xcb,0x89,0xe6,0x23,0x2f, + 0x10,0x62,0x22,0x56,0x4d,0x5e,0x51,0x95,0xed,0xa6,0xa2,0x5f,0x99,0x06,0x85,0x72, + 0xc2,0xfa,0xfe,0x97,0xf1,0x47,0xf7,0xf2,0xf4,0x11,0x9f,0x21,0x38,0x5a,0xf1,0xfc, + 0xed,0x97,0xf7,0x86,0x32,0xd8,0xbf,0x4f,0xd9,0xa9,0x05,0x4d,0x8b,0x9a,0xa2,0xa9, + 0xf4,0xde,0xd5,0x87,0x84,0x7a,0x91,0xd4,0x2c,0x63,0x91,0x12,0x5f,0x10,0x3a,0xe2, + 0x88,0x54,0x7e,0x84,0x89,0x69,0x3a,0xe8,0x68,0x6b,0x84,0x89,0x1b,0x77,0x2b,0x10, + 0xc4,0x79,0x68,0x83,0xf6,0x6c,0xd4,0x59,0xa8,0xc1,0xa6,0xa4,0x18,0x7b,0xd6,0xb3, + 0x87,0xd3,0x49,0xe9,0x2d,0x7b,0x60,0x49,0x53,0x72,0x7c,0x9e,0x9f,0xdc,0x44,0x9e, + 0x73,0x45,0xe7,0xca,0x6b,0x33,0x9e,0x26,0xb0,0x86,0xf5,0x54,0x88,0x98,0xcb,0xe9), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xce,0xc5,0xc9,0xb6,0xf8,0x44,0x97,0xac,0x32,0x7f,0x68,0xef,0x88,0x66,0x41,0xfe, + 0xc9,0x95,0x17,0x8b,0x30,0x71,0x92,0x30,0x43,0x74,0x11,0x5e,0xfc,0xc5,0xee,0x96, + 0x27,0x0c,0x03,0xdb,0x0b,0x84,0x6d,0x67,0x4c,0x52,0x8f,0x9d,0x10,0x15,0x5a,0x3f, + 0x61,0xbe,0xcc,0xe1,0xd3,0xa2,0xb7,0x9d,0x66,0xcd,0xc4,0x09,0xad,0x99,0xb7,0x66, + 0x30,0x80,0xf5,0x1a,0x10,0x2f,0x43,0x61,0xe9,0xdb,0xd0,0x3f,0xfc,0xd8,0x76,0xb9, + 0x8e,0x68,0x3d,0x44,0x8b,0xd1,0x21,0x7e,0x6f,0xb2,0x15,0x1c,0x66,0x96,0x47,0x23, + 0xb2,0xca,0xa6,0x5c,0x4e,0x6c,0xa2,0x01,0xd1,0xc5,0x32,0xbd,0x94,0xd9,0x1c,0xd4, + 0x17,0x3b,0x71,0x9d,0xa1,0x26,0x56,0x39,0x27,0xca,0x0a,0x7f,0x6f,0xe4,0x25,0x36), + .s = chunk_from_chars( + 0xc4,0x8a,0x8e,0x01,0xd4,0xbb,0xfe,0x0f,0x2f,0x05,0x65,0x93,0x37,0xea,0x71,0xd2, + 0x1f,0x38,0xd7,0xf7,0xa1,0x0b,0x00,0xb0,0x6e,0x1f,0x89,0x9e,0xaf,0x40,0xa8,0xe9, + 0x7e,0xad,0x64,0xbc,0xa3,0x7f,0x13,0xa5,0x5e,0xf1,0xcf,0x3f,0xb5,0x2c,0xee,0x27, + 0x9c,0xdc,0xb0,0x96,0x08,0x5a,0x46,0x7a,0xfa,0x97,0xb0,0x3d,0x78,0xd6,0x07,0x6e, + 0x47,0x2b,0x12,0xd6,0xbe,0x96,0x47,0xce,0xc3,0x2d,0x8d,0x91,0xa2,0x62,0x47,0x69, + 0x37,0x71,0x68,0x74,0x60,0xba,0x52,0x69,0xde,0x18,0xe1,0xed,0xef,0x60,0x22,0x53, + 0x3a,0x95,0x79,0xf9,0x1d,0x58,0x4f,0x9e,0x0c,0xee,0x11,0x00,0xc4,0x47,0xb7,0x75, + 0x76,0xb1,0xb4,0xee,0x16,0x3e,0xd4,0x70,0x01,0x47,0xa9,0xaa,0x61,0xbd,0xc4,0xe2, + 0x31,0x6d,0x2d,0x81,0x8c,0x10,0x28,0xed,0x1c,0x3e,0x37,0x2c,0x9f,0x6a,0x17,0x45, + 0x57,0x24,0x44,0x63,0x72,0x48,0x09,0x1b,0x83,0xf7,0xb5,0x39,0xf9,0xbd,0x58,0xb7, + 0x67,0x56,0x76,0x03,0x4c,0x20,0xe4,0xca,0x11,0x9b,0x91,0xc4,0xca,0x5d,0xc7,0x6a, + 0xcb,0xff,0x3d,0x04,0x62,0x89,0x83,0x52,0xc5,0x91,0xc2,0xca,0x6f,0x2d,0x8b,0x09, + 0xe2,0xe6,0x33,0x8a,0x84,0x33,0x6e,0x06,0xf0,0xcc,0x02,0x0e,0x9e,0xb8,0xda,0x78, + 0x58,0x89,0xb4,0x97,0xf3,0xb9,0x8e,0x82,0x7e,0xe7,0xa7,0xd3,0xf1,0xb0,0xb7,0x3c, + 0x19,0x58,0xe1,0x6a,0xa9,0x78,0x61,0xe6,0x67,0x59,0x70,0xce,0x31,0xd9,0xd1,0x19, + 0xbb,0x34,0x0b,0xe8,0x0f,0xd0,0xf4,0x3c,0x3d,0xbe,0x64,0xf2,0xa5,0x9d,0x62,0x9d), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x91,0x93,0xf8,0xb9,0x14,0xdf,0xe0,0xe6,0x25,0x21,0xf3,0x5a,0xfa,0x4f,0xa5,0xd4, + 0x28,0x35,0xe1,0x98,0xaf,0x67,0x38,0x09,0x37,0x7a,0x3e,0x7a,0x99,0x73,0x31,0x42, + 0xa1,0x80,0xdc,0x0e,0x13,0xe6,0xbb,0x7c,0xeb,0x3b,0x60,0xe5,0xe9,0xd5,0x15,0x79, + 0x4d,0x82,0xc3,0x92,0xe0,0x79,0x13,0x42,0x33,0x91,0xd2,0x2e,0x2b,0xb1,0x9a,0xa0, + 0xbd,0x88,0xaf,0xd7,0xf7,0x7e,0x27,0xa2,0x40,0xea,0x4e,0x2d,0xe0,0x85,0x48,0x1a, + 0xc3,0x1f,0xf8,0xd3,0x79,0x90,0x21,0x1f,0x82,0xf2,0xcb,0xf4,0xc9,0x0d,0xe9,0x8d, + 0x6e,0x13,0x38,0xbb,0xc8,0x8e,0x6a,0x80,0xab,0x96,0x84,0xda,0xe6,0x47,0x85,0xdd, + 0x10,0x72,0x48,0x04,0x85,0x93,0xab,0xc9,0xab,0x03,0xf1,0x73,0x7a,0x6f,0x65,0x30), + .s = chunk_from_chars( + 0x5c,0x2f,0xe4,0x53,0xa8,0xb0,0x8c,0x90,0xb0,0x2e,0xb2,0xc9,0x99,0x42,0x42,0xd5, + 0x18,0xf3,0xf2,0x1b,0x36,0x88,0x95,0xcf,0xfd,0x62,0x40,0x50,0xe4,0x8a,0xa7,0x14, + 0x00,0x5a,0xe6,0x75,0xfe,0x79,0xaa,0x3c,0xad,0xd4,0xdf,0x55,0xbd,0xf1,0x2b,0xec, + 0x5b,0xe8,0xa4,0x1d,0x87,0x53,0x8f,0x7e,0x03,0x1b,0x78,0x2e,0x34,0xd3,0x92,0x46, + 0x8e,0x5f,0x14,0xbc,0x61,0x3b,0x8f,0x4d,0x28,0xc8,0xfb,0x79,0xa2,0x53,0x7e,0x1e, + 0x60,0x10,0x31,0xda,0x72,0x0a,0xcd,0x7b,0x2c,0x8d,0xcb,0xe9,0x85,0x86,0x24,0xa7, + 0xa9,0xa9,0x2a,0x06,0xf9,0x18,0x45,0xf7,0x32,0x37,0x0d,0x67,0x36,0x5c,0x64,0x64, + 0xf7,0xb6,0x8f,0x22,0xeb,0x3e,0xdf,0xee,0xc9,0x7e,0x32,0x85,0x02,0x4d,0x7f,0x69, + 0x43,0xb6,0xd5,0x0a,0x16,0xcc,0x96,0xd6,0x0f,0x68,0x03,0x51,0xde,0xaa,0x25,0xf0, + 0xbc,0x86,0x89,0x48,0x60,0x7a,0x6b,0xa7,0xf1,0x94,0x9b,0x85,0x94,0x3c,0x6a,0x92, + 0xbd,0x61,0x72,0xe8,0x1b,0xcc,0x05,0x50,0x14,0xb7,0x8a,0x73,0x39,0x72,0xe3,0xf3, + 0x9d,0x14,0x09,0x9d,0x16,0x07,0xa2,0x0f,0xf8,0x68,0x1c,0x29,0xae,0x1e,0xf9,0x9e, + 0xf1,0x15,0xed,0x6a,0x10,0x84,0xb5,0x14,0xb8,0x1a,0x69,0xd4,0xa1,0x5c,0xe1,0xe2, + 0x57,0x6f,0xdc,0xf2,0xb2,0xaf,0x61,0x5b,0x52,0xfe,0xc7,0x01,0x32,0x11,0x2d,0xcc, + 0x5b,0xc1,0x9e,0xc1,0x7f,0x32,0x28,0x14,0x60,0x62,0x34,0x20,0x31,0x73,0x53,0xe8, + 0xa2,0x55,0xfd,0xa5,0x02,0xbd,0x1f,0xb1,0x1a,0x58,0x83,0x2a,0xe2,0xc0,0x4f,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x57,0xef,0x40,0xb0,0x21,0xbf,0x87,0xf6,0x42,0xc5,0x75,0x6b,0x65,0x15,0xa0, + 0xe0,0x6c,0x15,0xa0,0x18,0x56,0xd7,0x16,0xc5,0x66,0xa6,0xed,0xb3,0x81,0xdf,0xdf, + 0x44,0xd9,0x03,0x3b,0x1c,0xc8,0x09,0xe6,0x1d,0xfe,0xf9,0xa0,0x96,0xdf,0xb6,0x89, + 0xb7,0x27,0x1b,0xe4,0x49,0xd0,0x4a,0x1a,0x9c,0x35,0x41,0x02,0xc0,0x77,0xaf,0x5f, + 0xf7,0x20,0x05,0xab,0x6b,0x06,0xcf,0x13,0x1d,0x73,0x45,0xc2,0x1e,0x82,0x1d,0x62, + 0x01,0xcc,0xa4,0xe0,0x90,0x44,0x0d,0x70,0xbe,0x60,0x09,0xd2,0xdd,0x7a,0x98,0xd3, + 0x11,0x75,0x1e,0x16,0x05,0xa3,0xb9,0x14,0xdc,0xe6,0xd2,0x62,0x6b,0x16,0xf2,0x33, + 0xa5,0xa3,0xd7,0x1d,0x56,0x7c,0xc8,0x20,0x15,0x2f,0x25,0xe4,0x73,0x51,0x42,0x42), + .s = chunk_from_chars( + 0x76,0x43,0xaa,0x3f,0xe6,0x3e,0x66,0xf7,0x9d,0x6b,0x40,0x9d,0x14,0x5e,0xa8,0x20, + 0xc9,0xf7,0x35,0x6f,0x71,0xb4,0xac,0xdc,0xbd,0x43,0xfe,0x1e,0x99,0xf8,0x80,0x2c, + 0xd1,0x66,0x2b,0x16,0x24,0x0f,0x5c,0xfd,0x94,0xa7,0x69,0xb0,0xb3,0xf2,0xcb,0x0b, + 0x11,0x88,0x7e,0x88,0x6e,0x5b,0xa4,0x37,0x33,0x36,0x74,0x90,0xb3,0xfc,0x18,0x8f, + 0x2f,0xb3,0xa0,0xc0,0xc8,0xa6,0x8b,0x5d,0x27,0x26,0xc8,0xf7,0xa3,0x19,0x02,0xb6, + 0xb8,0x6c,0xd4,0x02,0x28,0x7d,0x38,0x5c,0x3e,0x3c,0x06,0x50,0x3c,0xe1,0x7f,0xd6, + 0xe5,0x4e,0x58,0x2f,0x4a,0x90,0x7a,0x91,0xf9,0x52,0xd2,0xa3,0x60,0xe2,0xfb,0xa0, + 0x00,0x28,0xe4,0xd3,0xb0,0x2a,0xab,0xf7,0xd2,0x20,0xb3,0x1d,0x1f,0x8e,0xe7,0xfa, + 0xa0,0x70,0x14,0x76,0x82,0xcc,0xc8,0xbc,0xc7,0x56,0xca,0x6a,0x68,0xfc,0x20,0x95, + 0x45,0x50,0xc3,0x17,0xe8,0x79,0x18,0x78,0x1a,0x3d,0x1f,0x19,0x23,0x50,0x30,0x91, + 0x09,0x0c,0x3c,0x60,0xca,0x1c,0x0b,0x1c,0x69,0x99,0x06,0xfb,0xf8,0x5a,0xa7,0x0a, + 0xd9,0xae,0x48,0x70,0x9f,0xf7,0x43,0xb8,0x2d,0xcc,0x31,0x07,0x4c,0xfc,0xea,0x62, + 0x3e,0xa4,0x5e,0x48,0x64,0x4b,0x19,0xa2,0x17,0x72,0xca,0x10,0x7e,0xd6,0x42,0x39, + 0xc5,0x65,0x74,0xa0,0x87,0xf1,0xa6,0xaa,0xdf,0x0f,0x4b,0x00,0xff,0xe5,0x81,0xc1, + 0x41,0x02,0x74,0xc8,0x75,0xe4,0x59,0x90,0x63,0xe4,0x6e,0x51,0x68,0x80,0x3f,0x0d, + 0x28,0xd2,0x1f,0xcd,0x35,0x09,0xb4,0xc6,0x22,0x29,0x95,0xad,0xd7,0x75,0x3b,0xf3), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0c,0x84,0x91,0xfc,0x34,0x8d,0x34,0x1f,0xe8,0x5c,0x46,0xa5,0x61,0x15,0xf2,0x60, + 0x35,0xc5,0x9e,0x6a,0x2b,0xe7,0x65,0xc4,0x4e,0x2e,0xc8,0x3d,0x40,0x7e,0xa0,0x96, + 0xd1,0x3b,0x57,0xe3,0xd0,0xc7,0x58,0x34,0x22,0x46,0xc4,0x75,0x10,0xa5,0x67,0x93, + 0xe5,0xda,0xea,0xe1,0xb9,0x6d,0x4a,0xb9,0x88,0x37,0x89,0x66,0x87,0x6a,0xa3,0x41, + 0xb7,0xd1,0xc3,0x1b,0xba,0x59,0xb7,0xdb,0xe6,0xd1,0xa1,0x68,0x98,0xee,0xf0,0xca, + 0xca,0x92,0x8f,0x8c,0xe8,0x4d,0x5c,0x64,0xe0,0x25,0xdc,0x16,0x79,0x92,0x2d,0x95, + 0xe5,0xcd,0x3c,0x6b,0x99,0x4a,0x38,0x5c,0x5c,0x83,0x46,0x46,0x9e,0xf8,0x76,0x4c, + 0x0c,0x74,0xf5,0x33,0x61,0x91,0x85,0x0c,0x7f,0x7e,0x2b,0x14,0xbe,0x00,0x27,0xd8), + .s = chunk_from_chars( + 0xca,0xcc,0x8d,0x9f,0x5e,0xcd,0x34,0xc1,0x43,0x48,0x84,0x61,0x13,0x5c,0x49,0x51, + 0x67,0x61,0x45,0xc6,0xe4,0x72,0xb9,0x2f,0x12,0xf7,0x58,0x04,0x6f,0x17,0x21,0x42, + 0xfa,0x38,0x8f,0x28,0x5f,0x3f,0xff,0x06,0x82,0x42,0x02,0x88,0x29,0x04,0x7e,0x24, + 0x80,0x59,0xed,0x4f,0xd3,0x9d,0x2c,0x5a,0xde,0x46,0x9d,0xc7,0xc3,0x93,0x45,0xe5, + 0x11,0x49,0x50,0xd2,0x03,0x1c,0xc7,0x46,0x5f,0xe7,0x12,0xc4,0x04,0x1d,0x05,0xc7, + 0x56,0xd3,0xf2,0xd8,0x8a,0x46,0xce,0xb9,0x9f,0x2e,0x24,0xa5,0x2e,0x95,0x8a,0x03, + 0xcd,0x25,0x19,0xa9,0xb1,0x37,0xe6,0x2d,0x5c,0xa2,0xb3,0x53,0xf7,0xb0,0x47,0xb6, + 0x25,0xc3,0x60,0x23,0x13,0xfd,0xb5,0x3c,0x8d,0xb2,0x3d,0x83,0x95,0x1a,0x59,0x9d, + 0xb3,0x28,0xfe,0xdc,0x4a,0xe0,0x6d,0xa8,0x9c,0xe7,0xf5,0x62,0x59,0xb5,0xc8,0x22, + 0x2f,0x7b,0xd3,0xd9,0x74,0x04,0x78,0xfd,0x28,0xe5,0x81,0x0d,0xb7,0x8a,0xee,0x86, + 0x23,0xfd,0xd3,0x9f,0x60,0x3f,0x8d,0xdf,0x98,0x08,0x1d,0x78,0x73,0x98,0x0c,0x4e, + 0xb0,0xe2,0x2a,0x9c,0xd4,0x08,0xf7,0xc4,0x13,0x4c,0x12,0xd2,0x04,0x9a,0x2d,0x12, + 0x0f,0x4b,0x62,0xe6,0xb3,0x82,0xb9,0x97,0xfc,0x37,0x5e,0xf7,0xac,0x95,0x5f,0xcf, + 0x80,0xb0,0x45,0xc3,0xd6,0x38,0x5f,0xf4,0x22,0xda,0xd3,0x50,0xc6,0x88,0x70,0x53, + 0x90,0x68,0xa1,0x62,0xa2,0xed,0xbb,0x93,0xce,0xef,0xed,0x96,0x77,0x93,0x9b,0x90, + 0xbd,0x3d,0xfa,0x0d,0xc0,0x53,0x46,0x0b,0x4e,0x23,0x32,0xef,0xa6,0x92,0x17,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x6c,0xd5,0x9f,0xdd,0x3e,0xfd,0x89,0x3d,0x09,0x1a,0xfd,0xc3,0x15,0x5d,0x35,0x4f, + 0x10,0xd6,0xd8,0x81,0x67,0x42,0x7a,0x2c,0xf7,0x24,0x62,0x07,0xe5,0x17,0x91,0xa6, + 0xca,0x62,0x00,0xa9,0x14,0xcd,0x28,0x34,0xa9,0xb3,0xc7,0x9f,0xcd,0x59,0xe2,0x6e, + 0x45,0x7e,0x06,0x83,0xbc,0x33,0xd4,0x92,0x67,0xed,0xbd,0xd6,0xe5,0xd9,0x09,0x02, + 0x69,0x6f,0x1e,0x7b,0x1a,0x4a,0xff,0xc4,0xba,0x37,0x13,0x39,0x86,0x8c,0x28,0x01, + 0x5e,0xbb,0xb7,0x3e,0x26,0x26,0x69,0x86,0x6c,0x35,0xdb,0x97,0x4b,0xa6,0x9e,0x46, + 0x8f,0x25,0x83,0xb9,0x19,0x1d,0x15,0xd6,0x86,0xcd,0x66,0xfb,0x0b,0x9e,0x0f,0xf0, + 0xa3,0xb4,0x72,0x1a,0x6d,0xc3,0x42,0xf1,0x4f,0x24,0x46,0xb4,0xe0,0x28,0x59,0x5b), + .s = chunk_from_chars( + 0x39,0x74,0x90,0x0b,0xec,0x3f,0xcb,0x08,0x1f,0x0e,0x5a,0x29,0x9a,0xdf,0x30,0xd0, + 0x87,0xaa,0xba,0xa6,0x33,0x91,0x14,0x10,0xe8,0x7a,0x49,0x79,0xbb,0xe3,0xfa,0x80, + 0xc3,0xab,0xcf,0x22,0x16,0x86,0x39,0x9a,0x49,0xbc,0x2f,0x1e,0x5a,0xc4,0x0c,0x35, + 0xdf,0x17,0x00,0xe4,0xb9,0xcb,0x7c,0x80,0x5a,0x89,0x66,0x46,0x57,0x3f,0x4a,0x57, + 0x0a,0x97,0x04,0xd2,0xa2,0xe6,0xba,0xee,0x4b,0x43,0xd9,0x16,0x90,0x68,0x84,0xad, + 0x3c,0xf2,0x83,0x52,0x9e,0xa2,0x65,0xe8,0xfc,0xb5,0xcc,0x1b,0xdf,0x7b,0x7d,0xee, + 0x85,0x94,0x1e,0x4b,0x4f,0xb2,0x5c,0x1f,0xc7,0xb9,0x51,0xfb,0x12,0x9a,0xb3,0x93, + 0xcb,0x06,0x9b,0xe2,0x71,0xc1,0xd9,0x54,0xda,0x3c,0x43,0x67,0x43,0x09,0xf1,0xd2, + 0x12,0x82,0x6f,0xab,0xb8,0xe8,0x12,0xde,0x2d,0x53,0xd1,0x25,0x97,0xde,0x04,0x0d, + 0x32,0xcb,0x28,0xc9,0xf8,0x13,0x15,0x9c,0xb1,0x8c,0x1b,0x51,0xf7,0xa8,0x74,0xcb, + 0xf2,0x29,0xcc,0x22,0x2c,0xae,0xb9,0x8e,0x35,0xec,0x5e,0x4b,0xf5,0xc5,0xe2,0x2c, + 0xc8,0x52,0x86,0x31,0xf1,0x51,0x17,0xe8,0xc2,0xbe,0x6e,0xac,0x91,0xf4,0x07,0x0e, + 0xec,0xdd,0x07,0xec,0xc6,0xdb,0x6c,0x46,0xea,0xa6,0x5f,0x47,0x2f,0x20,0x06,0x98, + 0x8e,0xfe,0xf0,0xb5,0x1c,0x53,0x8c,0x6e,0x04,0xd7,0x51,0x9c,0x8e,0x3d,0xa4,0xb1, + 0x72,0xb1,0xe2,0x76,0x10,0x89,0xed,0x3a,0xd1,0x19,0x79,0x92,0xef,0x37,0xc1,0x68, + 0xdc,0x88,0x1c,0x8b,0x5f,0x8b,0xbf,0xee,0x91,0x9f,0x7c,0x7a,0xfd,0x25,0xb8,0xfc), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xac,0xb3,0x0b,0xe9,0x09,0x2b,0x2f,0x18,0xf2,0x59,0x34,0xa0,0xd6,0x78,0xb6,0xbc, + 0xd6,0xb6,0x7c,0x2b,0x88,0xe7,0x58,0x84,0xf4,0x7b,0x4f,0xca,0xe3,0xad,0xfa,0x40, + 0x5a,0xfe,0x2c,0x7e,0x61,0xe2,0xd6,0xc5,0x08,0xb9,0x27,0x90,0xac,0x00,0xf7,0x6b, + 0x77,0xc9,0x65,0x08,0x26,0x68,0xbf,0x90,0x0f,0x70,0xa3,0x37,0x62,0xde,0x64,0x13, + 0xaf,0x93,0xaf,0x2e,0xa8,0x08,0x6f,0xda,0x29,0x3d,0xed,0x44,0x75,0xf2,0x3c,0x4c, + 0xc3,0x1a,0xd4,0x94,0xf9,0x8d,0x7d,0xd7,0xb7,0xfd,0x6f,0x7d,0x97,0x2b,0xb7,0x6c, + 0xb3,0x5a,0xdc,0x20,0x68,0x04,0xc3,0xfe,0x5a,0xcd,0xd0,0xe5,0xb8,0xb5,0x4e,0x07, + 0xc2,0x91,0x11,0xf7,0x88,0xbc,0x59,0x02,0xf4,0x0a,0xfa,0xc3,0x0a,0xfd,0xba,0xf2), + .s = chunk_from_chars( + 0xb5,0xc6,0x0d,0x8d,0xa9,0xb3,0x94,0x38,0x78,0xcb,0x23,0x59,0xcf,0x65,0xe4,0x81, + 0x7c,0x07,0x94,0xf9,0x50,0x45,0x3c,0xa7,0x7c,0x81,0xa5,0xa1,0xc1,0x58,0x55,0x91, + 0xaa,0x50,0xa6,0x74,0x68,0xe3,0xb3,0x99,0xe4,0xfa,0xf1,0xd6,0x06,0xbe,0xa0,0xd9, + 0xe6,0xcc,0x1d,0x2d,0x70,0xdb,0x80,0x63,0x73,0x9e,0x0c,0x27,0xd3,0xdc,0x9f,0x9a, + 0xfe,0x88,0xde,0xa5,0x2e,0x73,0x29,0x8a,0x07,0xd0,0x5c,0x7d,0x97,0x07,0x00,0x2e, + 0xfa,0x53,0x7c,0x38,0x9e,0x38,0xbd,0x37,0xbc,0xa7,0x4e,0xb0,0xaf,0x62,0x61,0xa5, + 0xda,0x06,0x13,0x62,0x02,0xc8,0xad,0x48,0x7e,0xeb,0xd5,0x0b,0xef,0x74,0x76,0x70, + 0x89,0xc7,0x08,0x70,0xbe,0x1d,0x8f,0xab,0x91,0x56,0xf9,0xfd,0xbc,0x2f,0x2e,0x9c, + 0xc3,0x30,0xa9,0x50,0x18,0xce,0x79,0x43,0x98,0x4b,0xec,0xc2,0x56,0x21,0xbf,0xa6, + 0x60,0x18,0xef,0x83,0x20,0xb6,0x00,0x59,0xf9,0x41,0x15,0x6e,0x9c,0xdd,0x87,0xff, + 0x0d,0x82,0xcf,0x7b,0xe7,0x74,0x65,0xe0,0x20,0x3e,0x71,0x20,0xaa,0xec,0xed,0x84, + 0xab,0xd8,0x18,0x69,0x47,0xd4,0xac,0x3d,0xaf,0x3f,0x99,0x39,0x02,0xae,0xc4,0x7c, + 0x30,0x90,0x47,0x5c,0x85,0x7b,0x5d,0x35,0x9f,0x0a,0x55,0x72,0xd4,0x68,0x8e,0x5a, + 0x76,0xa4,0x65,0x38,0x68,0xff,0x54,0xce,0x9f,0x99,0x9e,0x6b,0xb5,0x59,0xd1,0xc1, + 0x1c,0x67,0xc1,0x5b,0xe9,0xd7,0xfe,0x5f,0x8c,0x17,0x04,0x30,0x1d,0x05,0x5f,0x3d, + 0x29,0x07,0x72,0x27,0x79,0xd6,0x01,0x20,0x36,0x08,0x4e,0x95,0x0d,0xe3,0x6f,0x4f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x60,0x1a,0x6a,0xad,0x3f,0xaa,0x79,0x88,0xd5,0xae,0x52,0x8a,0x69,0x69,0x03,0x1b, + 0x10,0xa6,0xf3,0x92,0x16,0x94,0x6a,0xa8,0x9f,0xd4,0x53,0x2c,0x8e,0xd1,0x41,0xf9, + 0xa6,0x50,0xb1,0x26,0xef,0x48,0x8f,0x7c,0x5c,0xf3,0xfb,0x2d,0xaa,0x25,0x4c,0xc2, + 0x8b,0xdd,0x55,0x56,0x04,0x19,0xe8,0x02,0x14,0xef,0x99,0x98,0x96,0xda,0xc4,0x94, + 0x68,0x52,0xd2,0x4f,0xcd,0x9f,0xb7,0x76,0x10,0xee,0xbf,0xbb,0x6b,0xa5,0x8b,0xca, + 0x26,0xf4,0x56,0x7f,0x03,0xac,0x7e,0x56,0xda,0x55,0x3f,0x23,0x81,0x7b,0xc1,0x03, + 0xee,0x48,0x55,0x92,0xa0,0x58,0xfb,0x5e,0x3b,0xc8,0x29,0x9c,0x72,0x90,0xc7,0x1a, + 0x29,0x13,0x7e,0x75,0xdb,0xf5,0x32,0x8c,0x3a,0x2d,0xcd,0x34,0x16,0x5b,0x3f,0x2e), + .s = chunk_from_chars( + 0x30,0x1d,0x60,0xd5,0x65,0x76,0xf3,0x66,0x3a,0x7f,0xbe,0x80,0x36,0xbb,0xe4,0xfb, + 0xc0,0xfb,0xd8,0x2c,0xd6,0xa4,0x2e,0x36,0xd7,0xbb,0xc8,0xb2,0x06,0x54,0x3d,0xc2, + 0xd5,0x6d,0x31,0x98,0xe7,0x91,0x1a,0xd1,0x38,0xca,0xd2,0x22,0xdd,0x99,0x05,0x0d, + 0xd1,0xf8,0x5f,0xe1,0x9c,0x8a,0x88,0xbf,0x67,0x13,0x5e,0x7f,0x8f,0x11,0xb5,0xf5, + 0xe4,0x85,0xc9,0x1f,0xc7,0xd4,0x78,0x06,0x9b,0x72,0xf4,0x6e,0xbc,0xdc,0xf2,0xd2, + 0xae,0x7d,0xe6,0xac,0x8f,0xe5,0x3b,0xb6,0xc0,0x49,0x11,0xd1,0x22,0xcc,0x23,0x1d, + 0xc2,0x10,0xb2,0x14,0x7e,0xbe,0x8b,0x05,0x2e,0x8b,0x2c,0xcc,0x09,0xf3,0x38,0xb3, + 0x49,0xde,0x20,0x25,0xcc,0x87,0xb2,0x61,0x9a,0x7b,0x16,0x33,0x47,0xca,0x66,0xa3, + 0x47,0x91,0xa2,0xe4,0x6b,0x4e,0x2a,0xc5,0x7e,0xb9,0xf6,0x02,0x9c,0xdb,0xe0,0x24, + 0xe8,0x96,0xd5,0x7f,0x7d,0x04,0x91,0xf7,0x78,0x33,0x12,0xf8,0xf0,0x6c,0x79,0x07, + 0x70,0x15,0x0c,0xd1,0x39,0xf6,0x1f,0xd2,0xb3,0xe7,0x04,0x1b,0x37,0x26,0x1c,0x6e, + 0x7e,0xa8,0x6d,0x4e,0x06,0xd9,0x30,0x0b,0x1a,0x56,0x67,0xcb,0x02,0x88,0xc5,0x50, + 0xb2,0xaf,0xb3,0x55,0x94,0x48,0x34,0xb4,0x61,0xce,0xad,0x13,0x79,0x42,0x76,0xbb, + 0x46,0xe5,0xe2,0x0a,0xec,0x7b,0x63,0xaa,0xca,0x4d,0x49,0x1a,0x50,0x0f,0xac,0xd5, + 0x9a,0x37,0xc5,0x27,0x79,0xcf,0x46,0x7d,0x74,0xaf,0x1e,0x62,0xb1,0xeb,0xe0,0xfd, + 0x0b,0xe1,0xca,0xcb,0x7c,0xe6,0xd0,0x50,0xd8,0x6e,0x4e,0xb7,0x6c,0xde,0x06,0x93), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x44,0xd3,0xe0,0xfc,0x90,0x10,0x0a,0x1c,0x93,0x16,0x06,0x3f,0x26,0xb1,0x80,0x32, + 0x6c,0xc2,0xe3,0x83,0x4c,0xe5,0x6e,0x43,0x24,0x52,0x8a,0x0b,0xbb,0x01,0x5b,0x3d, + 0x78,0x12,0x95,0x8c,0xd2,0x6b,0x91,0xbf,0x08,0xa3,0xa0,0xb1,0x12,0x1f,0x9f,0x9d, + 0xd7,0x7a,0xcb,0x98,0xa0,0x2a,0xd7,0x5f,0xcd,0x61,0x3c,0x53,0xc7,0x32,0xd1,0xc2, + 0x35,0xf5,0x9b,0x68,0x73,0xec,0xe6,0x36,0x3f,0x27,0x94,0x52,0xb6,0xa4,0xb6,0x5e, + 0x80,0xbb,0x59,0xfd,0x47,0xb9,0xa2,0x93,0x6d,0xcc,0x1e,0x4d,0xfe,0x1f,0x53,0x62, + 0xe3,0x45,0x9b,0x98,0x59,0xdb,0x32,0x09,0xa2,0x69,0x8d,0x27,0xfa,0x8a,0xed,0xfe, + 0xcd,0x4d,0x35,0xb9,0x27,0xda,0xf8,0x68,0x6c,0x59,0xd7,0x00,0x49,0x0f,0x0a,0xa3), + .s = chunk_from_chars( + 0xaf,0x22,0x29,0xe9,0x4a,0x85,0x7b,0x89,0xe0,0xe8,0x90,0xda,0xca,0x3a,0x8f,0xe1, + 0x2e,0xbd,0xba,0x04,0x94,0x8d,0x18,0x83,0xa7,0xd7,0x81,0x6a,0x3b,0x68,0x2f,0x7d, + 0xa3,0x03,0x25,0x40,0xa8,0x76,0x9f,0x9c,0xca,0xc9,0x58,0x6c,0xf2,0x4e,0x8c,0x20, + 0x4b,0x45,0xb8,0x5d,0x1b,0xdc,0xc5,0xa5,0x45,0x0a,0x21,0x5b,0x40,0x48,0xea,0x42, + 0x98,0x3b,0x34,0x56,0xfa,0x8c,0x76,0xc6,0x78,0x6e,0x02,0x4f,0x70,0x5e,0x08,0x8d, + 0x69,0x45,0x59,0xd6,0x68,0xca,0xa8,0x68,0x4c,0xad,0x0f,0xc5,0x78,0x50,0xfc,0xaf, + 0x34,0xe4,0x58,0xae,0xe8,0xfa,0xd4,0xe0,0x9e,0x6f,0x19,0x65,0x57,0xd4,0xe8,0x86, + 0x02,0x84,0xd9,0x82,0xc0,0x10,0x5d,0x98,0xce,0x49,0x12,0xe9,0x6c,0x35,0x50,0xe2, + 0xa0,0xc7,0xe8,0xba,0xd5,0xab,0xc2,0x9a,0x9a,0x54,0x2f,0x57,0xa8,0xc6,0x05,0x79, + 0x03,0x80,0x67,0xb3,0xd5,0x39,0x1a,0xbc,0x21,0xb4,0xf9,0xde,0xb0,0x24,0xca,0x58, + 0xf9,0xb0,0xc3,0x8c,0x0d,0x1f,0x82,0x37,0x3f,0x52,0x8e,0x93,0x9b,0xd7,0x3a,0x24, + 0xd5,0x01,0xc5,0x91,0x16,0x88,0x14,0xc8,0x72,0xc5,0x25,0xdb,0x0e,0x56,0xca,0xe4, + 0x7d,0xf0,0x0f,0xa3,0x72,0x8d,0xc3,0xa0,0x97,0x69,0x65,0x32,0x3c,0xe8,0xd2,0xde, + 0xe2,0xb1,0x38,0xb5,0x0a,0xb7,0xaf,0xd4,0x84,0x95,0x11,0x46,0x73,0xe9,0x1b,0xb3, + 0xed,0x22,0x05,0xe2,0x6a,0x84,0x55,0x47,0x4c,0x3d,0x4e,0xc8,0x73,0x9b,0xbf,0xf6, + 0xdf,0x39,0xb2,0xb7,0x2e,0xe0,0x50,0x41,0x09,0x30,0x42,0x3b,0x14,0x72,0xb6,0xed), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x5a,0xf0,0x90,0x77,0xa1,0xf5,0x34,0xb8,0x98,0x22,0xb2,0x6c,0x32,0x72,0xad,0xf8, + 0x50,0x0d,0x3c,0x6b,0xd9,0x0f,0x9b,0x5e,0x0d,0x8b,0x21,0x1f,0x16,0xd0,0x72,0x0e, + 0xe0,0xea,0xf6,0x46,0x2b,0x6c,0x8a,0x80,0xdf,0x6d,0x75,0x35,0x9f,0xd1,0x9d,0x03, + 0xa0,0xca,0xfb,0x52,0xbc,0x9d,0x4c,0x37,0xc2,0xaa,0x09,0x99,0x11,0xa7,0x9a,0x92, + 0x65,0x2c,0xc7,0x17,0xf0,0x74,0x6f,0xdc,0xad,0x62,0x7c,0x72,0xf1,0xc2,0x16,0xb2, + 0x43,0xd2,0x17,0x5f,0x6d,0x00,0xbf,0x07,0xd3,0xf6,0xaa,0x2a,0x04,0xd4,0xfe,0x9f, + 0x8f,0xbc,0xe9,0x32,0x18,0x94,0x4b,0x92,0xaa,0x07,0xaf,0x6b,0x4f,0xcd,0x80,0xcf, + 0xde,0x2d,0x7a,0xda,0x15,0xc0,0x5e,0x96,0xe7,0x77,0xea,0x1c,0x17,0xdf,0x08,0xfc), + .s = chunk_from_chars( + 0xa5,0x68,0x23,0xfa,0x57,0x7e,0x89,0x46,0xf1,0xd2,0xf6,0xe3,0x51,0xb7,0x38,0xb5, + 0x35,0x92,0x54,0x43,0x58,0x52,0x8a,0xf8,0x88,0x07,0xea,0x4f,0x19,0x01,0x7d,0xfe, + 0x81,0xa3,0xd6,0x9f,0x62,0xfb,0xff,0x64,0x95,0x50,0xd9,0xb3,0x10,0xfa,0xf2,0x7a, + 0x04,0x1f,0xe6,0x24,0xf0,0xa0,0x2b,0xdc,0xdd,0xb7,0x9b,0xfb,0x0a,0x46,0x57,0x39, + 0xec,0x8b,0x64,0xb7,0x48,0xcc,0x29,0xe5,0xa0,0x2c,0x77,0x7e,0x18,0x26,0xd3,0xe2, + 0xf1,0xee,0xe6,0xfe,0x2e,0xde,0xe4,0xa8,0xbc,0xac,0x51,0x9c,0x7c,0x7c,0xa5,0xc0, + 0x39,0xe7,0x6d,0x63,0x06,0x68,0x94,0x5a,0x1e,0x5e,0x86,0x18,0xe2,0x35,0x86,0x45, + 0x61,0xa4,0x40,0xe7,0x3e,0x39,0xf6,0xd6,0x84,0x2a,0xd7,0xda,0x64,0xef,0x5b,0x0c, + 0xe1,0xc4,0xab,0x88,0xdb,0x15,0x7b,0x68,0x10,0x71,0x74,0xad,0x7d,0x5c,0x9a,0x60, + 0x65,0x06,0x87,0x68,0xc1,0x1c,0x4c,0x96,0xff,0x67,0x05,0x0b,0x5d,0x07,0xb8,0xcd, + 0x02,0x7f,0xcd,0x0d,0x34,0x7e,0xc7,0x9a,0x19,0x7c,0xf4,0x34,0x35,0x98,0x5b,0xc1, + 0xae,0xb4,0x79,0xdb,0x00,0x22,0x28,0x9e,0x8d,0xd3,0xb3,0x1b,0xb7,0xc6,0x2d,0x88, + 0x31,0xcf,0xe6,0x95,0x2f,0x41,0xd2,0x4f,0x89,0xd7,0x53,0x78,0x95,0x35,0xf9,0x18, + 0xff,0x68,0xb3,0x69,0x50,0xaf,0x6f,0xd3,0x1d,0xee,0x1a,0xc4,0x76,0xa0,0xcf,0x93, + 0xaf,0xe9,0xf4,0xa7,0x66,0xf3,0xc4,0xd2,0xc0,0xc3,0xf9,0x28,0x25,0xd5,0x57,0x2e, + 0xb2,0xeb,0x8a,0x2b,0x64,0x4e,0x32,0x9e,0xea,0x16,0x83,0xf9,0x08,0x10,0xed,0x77), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xf6,0x0a,0x3a,0x54,0x37,0x68,0xfa,0xbe,0x37,0xf0,0x03,0x00,0x9a,0x8c,0x26,0xf7, + 0xdc,0x91,0xf1,0x42,0x2d,0x44,0x29,0xed,0x7f,0x9d,0x74,0x4c,0xdd,0x4b,0x55,0x2a, + 0xfe,0xf7,0x5d,0x24,0x1a,0xcd,0xa0,0x4f,0xfc,0x39,0x67,0x21,0x59,0xee,0x24,0x8e, + 0x60,0x2d,0xab,0x71,0x92,0x44,0x9e,0x2e,0xd4,0x55,0x29,0x95,0xc2,0x58,0xf0,0x0a, + 0x47,0x63,0x46,0xe3,0x6a,0x29,0xa0,0x12,0x6b,0xc2,0x49,0x04,0x0f,0xaa,0x57,0xc9, + 0x38,0x0b,0xdd,0x74,0xb8,0x3f,0x62,0xc5,0x67,0x90,0x92,0x05,0x74,0x43,0x34,0x32, + 0xf8,0xd6,0x5c,0x5c,0xd1,0x85,0xe2,0x4f,0xad,0x13,0x12,0x72,0x65,0xc6,0xa5,0xef, + 0x8d,0xb4,0xf1,0x14,0x49,0x3d,0x5c,0xfa,0x61,0xd9,0x16,0x64,0x98,0x14,0x08,0xe9), + .s = chunk_from_chars( + 0x08,0xd3,0x96,0x48,0x1d,0xee,0xf1,0x8c,0xb0,0xbe,0xf7,0xc3,0xe8,0x26,0xfe,0x6e, + 0x5c,0x9e,0xcc,0x85,0xe5,0x23,0x0d,0x35,0xd6,0x67,0x72,0xb8,0xd2,0xd0,0x15,0xd4, + 0xe5,0xf5,0x79,0x4f,0xbe,0x05,0x50,0xdf,0x2f,0x74,0x57,0x30,0xd6,0xf8,0xd1,0xd3, + 0xb8,0x50,0xd1,0x64,0xfc,0xe4,0x63,0x08,0x05,0xe7,0x11,0xb5,0x93,0x08,0xf8,0x60, + 0x85,0x06,0xb7,0xe0,0x1e,0x8e,0x92,0x94,0xed,0x8b,0x7e,0x75,0x82,0x16,0x56,0x77, + 0xf1,0x80,0xe9,0x65,0x16,0x9d,0xca,0x81,0xb3,0xda,0xf2,0x4d,0x7b,0x92,0xfe,0x32, + 0xd6,0xa9,0xac,0x63,0x82,0x1d,0x48,0xb1,0xa0,0xa1,0x44,0xfc,0x7a,0x04,0xb0,0xbf, + 0xc6,0x3a,0x3b,0xc1,0x6a,0x0f,0xd8,0x37,0xb0,0x20,0x37,0xed,0x76,0xe5,0x0d,0x46, + 0xcb,0xfa,0x38,0x57,0xe6,0x58,0xe3,0x70,0xc5,0x86,0xab,0x1e,0xed,0x82,0x50,0x76, + 0x32,0x1a,0xc8,0xe8,0x2b,0xe3,0x74,0xba,0xcb,0x29,0x5e,0x4d,0x34,0x08,0xf0,0xcc, + 0x1f,0xc4,0xc3,0x00,0xb8,0x42,0x75,0xa5,0x1c,0x35,0x73,0xe9,0xca,0xbf,0xdb,0xe3, + 0xdc,0x51,0xe4,0xa6,0xf5,0x81,0x1d,0x86,0x0d,0x72,0x5a,0xaf,0x8f,0xd0,0xaf,0x19, + 0xa2,0x43,0x7b,0x0f,0x1c,0x80,0xf5,0xac,0x22,0x2f,0x6b,0x25,0xf1,0xfa,0x09,0xe9, + 0x33,0x99,0xa6,0x97,0x6b,0x1b,0x3c,0xa7,0x6a,0xfe,0x60,0x86,0xe9,0xb2,0x32,0xaa, + 0xe6,0xc7,0xb8,0x18,0x25,0x5b,0xf9,0x63,0xf3,0x1c,0x04,0xae,0x3f,0xa2,0x13,0x6c, + 0x0a,0x44,0x29,0x97,0xd4,0xcf,0x12,0xf3,0x95,0xfb,0x80,0x4a,0x47,0x55,0xb5,0x6b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x2c,0x07,0xa8,0x1d,0xe5,0x89,0x55,0xb6,0x76,0xfe,0xc0,0x57,0x2d,0x48,0xd1,0x95, + 0x5b,0x48,0x75,0xff,0x62,0xa4,0x4b,0x00,0x10,0xc7,0xa1,0x07,0x2b,0x29,0x9e,0xe4, + 0x4d,0xd0,0xc0,0x76,0xf2,0x17,0x8a,0x83,0xd0,0xae,0x76,0xe7,0x67,0xe2,0x31,0xf1, + 0xd8,0x1e,0x07,0x0a,0xfa,0xb2,0x9c,0x97,0xab,0xd4,0xde,0x21,0x64,0xe4,0x37,0xb3, + 0x11,0xf5,0x07,0x84,0x1f,0x88,0x51,0xd6,0xd6,0x9a,0xb5,0x1e,0xe9,0xe2,0x9e,0x65, + 0x4b,0x54,0xbc,0xee,0x45,0xe9,0xb5,0x19,0xc6,0xa2,0x17,0x87,0xfa,0xcb,0x92,0x7f, + 0x1d,0x7d,0x64,0x91,0x92,0x66,0x14,0x79,0x2f,0xcc,0x63,0x46,0xdc,0xd0,0x80,0xbb, + 0x5c,0xf0,0x7b,0xf5,0x6a,0xd0,0xfc,0x4e,0x08,0x3a,0x35,0x82,0x14,0x63,0x15,0x10), + .s = chunk_from_chars( + 0x9a,0xa3,0x91,0xe7,0xc2,0xf0,0xe9,0x20,0xaa,0xc2,0x7e,0xd9,0xfc,0x20,0x81,0xd3, + 0xc9,0xca,0xa3,0x73,0x58,0x83,0xd0,0x1a,0xd7,0xa7,0xe3,0xb1,0x18,0x67,0xd0,0xad, + 0x62,0x41,0x56,0x47,0x7b,0xbb,0xdd,0xe6,0x59,0xf4,0x74,0x68,0x2d,0x0d,0x77,0x44, + 0x89,0xe2,0xb5,0xb0,0x39,0xd1,0xeb,0x35,0x45,0x4c,0x9e,0x3e,0xed,0x78,0xcf,0xf9, + 0xc4,0x26,0x2e,0x3a,0xec,0xfc,0xa1,0xd8,0x17,0x54,0x2b,0x48,0x60,0x96,0x59,0x8e, + 0x11,0x14,0xbf,0xc0,0x3f,0x20,0xa4,0x5d,0xe3,0x6f,0x6d,0xf7,0x0d,0x14,0x4d,0x01, + 0xdc,0x48,0x66,0xa0,0xf8,0x33,0x19,0xe7,0xc2,0xb8,0x53,0x0f,0x8c,0x27,0xa4,0x1b, + 0x7a,0xdd,0x9f,0x69,0x2d,0x8a,0x8e,0x64,0x64,0x55,0xb6,0x7c,0x9e,0xc4,0x7a,0x4d, + 0x2c,0xe3,0xdf,0xe3,0x5d,0x6a,0x2e,0x89,0xd9,0xbe,0x50,0xc5,0xb6,0xda,0x39,0xbb, + 0x02,0x54,0xbd,0x23,0xa8,0x09,0xab,0x97,0xb2,0xb4,0x8a,0x06,0x8a,0x87,0xab,0xde, + 0x6b,0x6a,0x6e,0x35,0x95,0x5f,0xc9,0x2a,0x96,0x26,0xf9,0x60,0x7d,0x5b,0x3f,0x40, + 0x15,0x17,0x27,0x15,0x94,0xbe,0xf7,0x38,0x59,0x81,0x2b,0x6a,0x62,0x1e,0xd6,0xbd, + 0xaf,0x3c,0x5f,0x2a,0x90,0xb1,0xe1,0x68,0x0f,0x68,0xdc,0xfc,0xca,0xcb,0x65,0xe0, + 0x08,0x1f,0x1c,0xcb,0x6a,0x20,0x73,0x70,0x9d,0x1b,0xa0,0x67,0x06,0x50,0x16,0xed, + 0x73,0xeb,0xd7,0xeb,0xe9,0xe7,0xa7,0xb6,0x0c,0x8c,0x9d,0xd0,0x4a,0x56,0xfa,0xb3, + 0x07,0x02,0xc8,0xa6,0xdf,0x6a,0x35,0x3a,0x30,0x10,0x47,0xdf,0x4c,0x7a,0xff,0x62), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x35,0xec,0x92,0xaf,0xdb,0xc2,0xfc,0xef,0xe4,0x8f,0x1e,0x2f,0x6e,0x48,0x29,0xae, + 0x53,0xb3,0xda,0x04,0x59,0xcc,0x4e,0xa8,0xa9,0x68,0x18,0xb5,0x83,0x18,0x91,0xee, + 0x2f,0x50,0x6f,0xff,0x37,0xc8,0x99,0x06,0xd3,0x23,0x3a,0x51,0xa5,0xcf,0x14,0x69, + 0xa6,0x2c,0x18,0x50,0x61,0xf0,0x33,0x08,0x5f,0xca,0x6a,0x54,0xe2,0x45,0x29,0xc3, + 0xd6,0xf0,0xd8,0xe9,0x04,0xbc,0xb0,0xf0,0x89,0xa5,0xcd,0x50,0x86,0x94,0x84,0xda, + 0x1a,0x84,0xf6,0xfb,0x8d,0xe4,0xe5,0x3f,0xce,0x3d,0xc7,0x14,0x20,0x15,0x19,0xd1, + 0x10,0x13,0xf6,0xf6,0xaa,0x64,0xe8,0xb5,0xec,0x5c,0xfe,0xb2,0x7b,0x61,0x1f,0x08, + 0x95,0x05,0x9d,0x8c,0x47,0x72,0x0d,0x55,0xe0,0x0b,0x57,0x7c,0xa5,0x50,0x09,0x20), + .s = chunk_from_chars( + 0x6b,0x0f,0x5b,0x50,0xe6,0x78,0xda,0x08,0x3e,0xd0,0xf1,0xb6,0x4e,0x94,0x3e,0x8c, + 0x62,0x79,0xc7,0x24,0x6a,0xf5,0xad,0x07,0x9c,0xdb,0xf2,0x23,0xe4,0x2a,0x0d,0x47, + 0x1e,0x56,0x31,0x4b,0xc0,0xd5,0x8f,0x20,0x2a,0xa6,0xc5,0xe1,0xe5,0x25,0x59,0x85, + 0xb0,0x79,0x5d,0x48,0xeb,0x3d,0x4b,0x8e,0x3f,0xc9,0x22,0x40,0xae,0x02,0xb4,0x08, + 0x8c,0x6c,0xe8,0xab,0x0e,0x8c,0x79,0xc6,0x8d,0xfd,0xc4,0x86,0x57,0xd6,0xa2,0x82, + 0x95,0x39,0x1b,0x9a,0x5a,0x5f,0x35,0x25,0x51,0x26,0xbf,0x8c,0xa5,0x3c,0xbc,0xc0, + 0x08,0x2e,0xab,0x52,0xec,0x10,0x9d,0x22,0xa1,0x18,0x5f,0x6d,0xc7,0x92,0xfc,0x29, + 0x0a,0xa8,0xdb,0xae,0xbb,0x2f,0xbe,0x40,0x4f,0x1d,0x03,0x9a,0xa6,0x34,0x3c,0xd7, + 0xaf,0x9f,0xcb,0x2d,0x1e,0x05,0xde,0xf4,0x80,0x96,0xc2,0x37,0xe1,0x0d,0xaa,0x7c, + 0xfa,0xc5,0xae,0x9b,0x3b,0x30,0x22,0x00,0x5d,0x0d,0x2d,0x5c,0x9c,0x5c,0x50,0x2b, + 0x2f,0x23,0x59,0x4e,0x80,0xd1,0x60,0x4b,0xbb,0x8f,0x5d,0xec,0x07,0xcd,0x3a,0xfe, + 0x1f,0x77,0x77,0x43,0xb0,0xb5,0x8a,0x4e,0x0e,0x4e,0x5c,0xaa,0x14,0x88,0x30,0xee, + 0xe0,0x47,0x96,0x8e,0x7f,0x40,0x66,0x1f,0x9f,0x1a,0x02,0xe1,0xa7,0xfd,0x2b,0x6c, + 0xaf,0x19,0x32,0x6a,0x75,0xe9,0x56,0x5e,0xfd,0xc0,0x11,0x4b,0xce,0xcb,0x14,0xdd, + 0xa0,0x6c,0x32,0x9c,0xf3,0x22,0xa5,0xbd,0x3e,0x6a,0xb4,0x8d,0x95,0xf2,0xd2,0xa9, + 0xc1,0xc1,0x23,0x3a,0x0a,0xa0,0x15,0xa7,0x38,0xf9,0x01,0xf1,0x31,0x48,0xb4,0x54), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x80,0xc9,0xde,0xbd,0xf9,0x31,0x74,0xd7,0x57,0x50,0xa6,0xcf,0x09,0xaf,0x71,0xfc, + 0x18,0xfd,0x51,0x3b,0xff,0x9c,0xb4,0x91,0xbe,0x60,0xaf,0x11,0x2a,0x93,0xf0,0x00, + 0x87,0x3c,0xf4,0x38,0x58,0xa0,0x7a,0xca,0x76,0x0a,0x37,0xe7,0x60,0xc8,0xcb,0x01, + 0xd2,0x76,0xf4,0x2d,0x99,0x7f,0x01,0xcc,0xa5,0xe0,0x8a,0x6a,0x60,0x2f,0x5f,0xe6, + 0x3e,0xdc,0xbe,0xd3,0x95,0xb8,0xc9,0x1f,0xb0,0xb3,0x36,0xf2,0x1f,0xea,0x49,0xd9, + 0x50,0xe1,0xff,0x24,0x64,0x0c,0x8d,0x8d,0x3b,0x95,0x08,0x1a,0xd1,0x59,0x66,0x44, + 0xce,0x34,0xa5,0x58,0x58,0x7e,0x4a,0x1e,0x2c,0xd5,0x0d,0xb9,0xed,0x1d,0xd3,0xce, + 0xbb,0xc6,0xdc,0xe8,0x08,0x4d,0x3e,0x1b,0xa7,0x06,0x92,0xe8,0x26,0x18,0xed,0x61), + .s = chunk_from_chars( + 0x4a,0x15,0xa7,0x83,0xad,0xbf,0x27,0x46,0x22,0xd5,0xa6,0x10,0xbb,0x6f,0xc7,0x33, + 0x37,0x99,0x9e,0x44,0x5d,0xc2,0x13,0x3a,0xcc,0xb7,0x88,0xd6,0x20,0x3d,0x70,0xf3, + 0xcd,0xc6,0x3e,0x67,0xda,0xa4,0x17,0x1a,0x79,0x52,0xa4,0x98,0x64,0x56,0xfa,0xb3, + 0xc0,0x77,0xa8,0x94,0x1f,0xb2,0x59,0xe3,0x7a,0x5c,0x0c,0xbb,0x20,0xc4,0x08,0xfa, + 0x24,0xad,0x0e,0xc8,0x50,0xe9,0xbf,0x02,0x8c,0x36,0x04,0x60,0x99,0x41,0xf5,0xae, + 0x2f,0x18,0xbf,0x1a,0xc3,0x7a,0x24,0xf7,0x55,0xab,0xb9,0xc8,0x5d,0xdc,0xd0,0xbf, + 0x4a,0x12,0xfa,0xbd,0x9d,0x25,0x30,0x29,0xe0,0x81,0xf6,0x28,0xe2,0xbb,0xe9,0xf9, + 0xaf,0xe9,0x22,0x49,0x54,0xd8,0x31,0x5d,0xb8,0x6c,0x21,0x25,0x51,0x2b,0xb9,0x8c, + 0xe9,0xb3,0x69,0x30,0x99,0x4b,0x09,0x1a,0x8a,0x1d,0x7d,0x4e,0x2f,0x4a,0x0e,0x58, + 0xd0,0xa3,0x58,0x76,0xad,0xad,0x14,0x30,0x05,0x30,0xb3,0x9c,0x8d,0xc1,0x1d,0xed, + 0x3e,0xf2,0xfa,0x95,0xd5,0xf2,0x2e,0x67,0xca,0xe3,0x4c,0xc2,0x1a,0xd5,0xe2,0x3f, + 0x91,0x22,0xb5,0x3d,0xfb,0x79,0xf1,0xa2,0xac,0x63,0xc1,0x84,0x4e,0x9e,0xf0,0x69, + 0xa2,0xe4,0x1f,0x17,0x8d,0x6d,0xce,0xdc,0x51,0x8a,0xaf,0xcf,0x81,0xe0,0xeb,0xd8, + 0x82,0x55,0x6e,0x73,0x1c,0xb0,0xab,0x41,0xd9,0x57,0x27,0x4a,0x3f,0xbb,0xb7,0xce, + 0xf2,0x60,0x87,0x91,0x00,0x0c,0x6b,0x86,0x08,0x68,0xcb,0x73,0x93,0xe7,0xd0,0x3d, + 0x94,0x56,0x89,0xff,0xb7,0x75,0x55,0xef,0xe0,0x8f,0x46,0x14,0x51,0xd3,0x3c,0x11), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x31,0x39,0x5c,0xef,0x34,0x95,0x51,0x34,0x3a,0x49,0x27,0x1a,0x8d,0x81,0x2b,0x4c, + 0x7b,0x65,0xb4,0x55,0xb7,0xed,0xa8,0x11,0xfc,0xf7,0x41,0x61,0xf3,0x97,0x11,0x23, + 0x57,0xae,0x44,0x62,0x57,0xbe,0x26,0xc9,0x3c,0xfc,0xe5,0x5e,0x4b,0xa7,0x97,0x6d, + 0xed,0x99,0x7e,0xc1,0x0d,0x1c,0x8b,0x1a,0xc2,0xfe,0x22,0xdc,0x2e,0xe8,0x1d,0x05, + 0xa6,0xeb,0x13,0x61,0x12,0x5c,0xda,0x01,0x97,0xe2,0x4a,0xe9,0x74,0xcd,0x44,0x09, + 0x2a,0xa9,0xf3,0x6f,0xe0,0x13,0x52,0xba,0x05,0xcc,0xef,0xd2,0x37,0x0c,0xee,0xd6, + 0x64,0x19,0x50,0x56,0x2f,0x17,0x76,0xc3,0x95,0x22,0xe0,0x23,0xd0,0x9a,0x3b,0x09, + 0x7b,0xbe,0x9b,0xc5,0xf8,0x7d,0x05,0xd8,0x0f,0x88,0x30,0xab,0xd7,0xac,0x8c,0x80), + .s = chunk_from_chars( + 0x16,0x2f,0x38,0x76,0x95,0xcf,0x9d,0x82,0xdd,0xa8,0x9c,0x74,0x93,0x18,0xe4,0x6c, + 0x9b,0xe8,0x95,0xec,0x36,0x4e,0xa4,0xae,0xce,0x97,0xcc,0xfa,0x63,0x92,0x5a,0xf3, + 0x71,0x08,0x94,0xda,0x2b,0x7b,0x59,0x67,0xe4,0x6f,0x4e,0xfa,0x80,0xca,0x25,0xd2, + 0xa9,0x65,0xa7,0xe1,0x5f,0x75,0xe0,0xaa,0x1b,0xd4,0x25,0x0f,0x8f,0x41,0x09,0x9e, + 0x6e,0x97,0x14,0xc3,0xfc,0x43,0x11,0x07,0x7a,0xe9,0xbd,0xdf,0xe3,0x5b,0xa4,0x72, + 0x75,0x31,0x52,0x9c,0x23,0x9d,0x54,0x6a,0xb1,0xc2,0x98,0x18,0x7f,0x16,0x5f,0x70, + 0x8c,0xcc,0x0a,0xe3,0x97,0x9a,0x8d,0xa1,0x93,0xe3,0x48,0x59,0xa5,0x9c,0x2c,0x3b, + 0xc4,0x22,0x53,0xc8,0x34,0x66,0x88,0xe6,0xbb,0xa6,0xfb,0x1b,0x01,0xb1,0x0c,0x1e, + 0xc2,0xc6,0x49,0x3d,0xed,0xcc,0x26,0x96,0x26,0x9d,0x85,0x1b,0xde,0x63,0xe2,0x7e, + 0x37,0xbe,0xd3,0x57,0x45,0x5c,0x8f,0xee,0x56,0x29,0xf9,0x4a,0xfa,0x7a,0x98,0x66, + 0x95,0xcf,0xd5,0xb9,0x92,0x12,0x65,0x7a,0x6c,0x88,0x46,0x44,0x59,0x60,0x86,0xb8, + 0x9e,0x0c,0x7c,0x05,0xe8,0x19,0xfa,0xeb,0xeb,0xef,0x74,0x5f,0xd2,0x95,0xaf,0x88, + 0x66,0xe0,0x75,0x0f,0x54,0x79,0xba,0xed,0x50,0xcb,0xb3,0xd0,0x59,0xf8,0xa5,0xeb, + 0x7e,0x0e,0x61,0xe2,0x73,0x3a,0xe5,0x0f,0x0c,0x1e,0xc4,0x2b,0xe7,0x1f,0x5d,0xff, + 0x32,0x41,0x95,0xcb,0x4f,0x0e,0x94,0x1a,0x21,0x56,0x15,0x13,0xc3,0x03,0x7d,0xb9, + 0x2f,0xec,0x95,0x56,0xb7,0x72,0xcc,0xab,0x23,0x9e,0x34,0xb1,0x87,0x6c,0x56,0xb1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa7,0xc3,0x09,0xd4,0x4a,0x57,0x18,0x8b,0xbd,0x7b,0x72,0x6b,0x98,0xb9,0x8c,0xe1, + 0x25,0x82,0x22,0x8e,0x14,0x15,0x86,0x48,0x70,0xa2,0x39,0x61,0xd2,0xaf,0xb8,0x2c, + 0xd5,0xbc,0x98,0xbe,0xc9,0x22,0xd5,0xf2,0xac,0x41,0x68,0xb0,0x56,0xda,0x17,0x6e, + 0xf3,0xba,0x91,0xf6,0xb6,0x99,0xba,0x6a,0xcc,0x41,0x44,0x86,0x8f,0xf3,0x7f,0x26, + 0xfd,0x06,0x72,0x08,0x68,0xd1,0x2a,0xd2,0x6e,0xcb,0x52,0x57,0x2c,0xf1,0x04,0x16, + 0xaf,0x68,0xdf,0x03,0xab,0x64,0x5a,0x8b,0x70,0x48,0x57,0xd2,0x19,0x0f,0xfc,0x3f, + 0x07,0xea,0xbe,0x3a,0x8e,0x2a,0xbe,0x34,0xed,0x61,0x59,0xe8,0x84,0xc4,0xfa,0xe1, + 0x41,0xd4,0x33,0x3d,0x5c,0x3e,0x0d,0xb0,0x44,0xff,0x9c,0xcc,0xd9,0xcb,0xd6,0x7f), + .s = chunk_from_chars( + 0x14,0x8a,0xf6,0x1e,0xd5,0xea,0x8a,0x87,0xa0,0x8b,0x3f,0x40,0x39,0x29,0xbf,0x80, + 0x31,0xdb,0x4f,0xd3,0x99,0x9b,0x64,0x40,0x9b,0xa4,0x89,0xf9,0x7a,0x3e,0xe5,0x20, + 0x8e,0xa4,0x20,0x2d,0x2e,0xc1,0x87,0x34,0xf6,0x15,0x00,0x3a,0x51,0xf7,0x74,0x41, + 0x08,0x5b,0xe6,0xac,0x0f,0x11,0x81,0x0f,0xfa,0x2d,0xad,0x58,0xf0,0xe1,0x86,0xd5, + 0x52,0x0a,0xc2,0xb8,0xa5,0xd3,0x96,0x6e,0x8d,0x2a,0xbb,0x80,0x74,0xe1,0x3b,0x50, + 0xa4,0xe7,0xde,0x83,0xbe,0x10,0xa6,0x6f,0xdc,0x7c,0xa1,0x81,0x18,0xc5,0x77,0x4f, + 0x78,0x12,0x12,0xde,0x9e,0xfe,0xbc,0x63,0x76,0xfc,0xdd,0xdc,0x65,0xa3,0xb1,0xb8, + 0xf1,0xab,0x31,0x49,0x2f,0xe4,0x78,0x25,0x9c,0xe7,0x19,0xb3,0xdb,0x58,0x74,0x98, + 0xd8,0x79,0xa0,0x1d,0xec,0x96,0xe8,0xea,0xbe,0xb0,0x7f,0xf7,0x07,0x3f,0x3f,0x3e, + 0xb4,0x46,0x08,0x49,0x55,0xca,0x26,0x32,0x9a,0x79,0x13,0x15,0xa2,0xc2,0x59,0xd2, + 0x25,0xe2,0x6b,0x21,0x54,0xb2,0x04,0x7b,0x21,0xfa,0xba,0x68,0x11,0x5b,0xfd,0x96, + 0x2e,0x5e,0x24,0xec,0x52,0xd7,0xc5,0xd2,0x31,0xe3,0x04,0x4c,0xbc,0xd8,0xc8,0x80, + 0x48,0x55,0x70,0x3c,0xba,0xa6,0x22,0xb1,0x5b,0x6e,0xf7,0x8c,0x74,0x21,0xa3,0x67, + 0x16,0x6f,0x1b,0x02,0x57,0x6c,0x87,0x36,0x05,0x93,0xda,0x75,0xb7,0x18,0x9e,0xfa, + 0xfd,0x10,0x82,0xbd,0x59,0xf6,0x85,0x7f,0x17,0x01,0xf6,0x46,0xc2,0x4d,0x70,0xc9, + 0x52,0x73,0xc4,0x9d,0x5b,0x11,0xe6,0xaf,0xe2,0x58,0x82,0x1b,0x55,0xc1,0x68,0x0c), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xca,0x50,0x5d,0x45,0x91,0x12,0x16,0x64,0x99,0x07,0x47,0xd9,0x5d,0x95,0x55,0xcc, + 0x75,0xbf,0xc3,0xfd,0xae,0xec,0xee,0xaa,0x60,0xea,0xfa,0xb3,0xfc,0x32,0x0c,0xfc, + 0xe5,0x6e,0xb9,0x13,0x81,0x38,0xbf,0x13,0x8f,0x25,0xf3,0xc8,0xbb,0x02,0x7b,0x13, + 0x6f,0x5d,0x3d,0x90,0xed,0x48,0x97,0x77,0x9b,0x59,0x51,0xc0,0x9d,0xf5,0xd0,0x8b, + 0xa9,0xce,0x8c,0xbe,0x17,0xab,0xc4,0xf0,0x38,0x68,0x70,0x86,0xe9,0x3d,0x77,0x1b, + 0x68,0x43,0x22,0x26,0x66,0x33,0xd0,0xd6,0x5d,0x71,0xec,0x41,0x23,0x4a,0x1d,0xbe, + 0xc0,0x7a,0xbc,0x8f,0x7d,0xf2,0x8b,0xc4,0x3d,0xd8,0xa4,0x5b,0x10,0xce,0xaf,0xac, + 0x06,0x77,0x58,0x05,0x41,0x37,0x01,0x91,0x4e,0x3b,0xb3,0x7e,0xb6,0xba,0x5b,0x5e), + .s = chunk_from_chars( + 0x58,0x9c,0xcd,0x4e,0xbf,0x97,0x64,0xf8,0x7e,0x6a,0xfa,0x7f,0x13,0xc4,0x06,0x25, + 0x79,0xb0,0x22,0x28,0x11,0x7b,0x15,0xa8,0x73,0x8a,0xb3,0x9c,0xd6,0x44,0x77,0x06, + 0x9c,0xb4,0xf5,0x2c,0xd8,0xd5,0xf4,0x57,0x4c,0x65,0x7b,0x45,0x38,0x35,0xca,0x3c, + 0xed,0xb8,0x24,0xf0,0x3b,0x92,0xa5,0x73,0xd6,0xd3,0xd9,0x13,0x61,0x31,0x3f,0x11, + 0xbd,0xcb,0x34,0xd2,0x05,0x9f,0xe2,0xe6,0xce,0x2b,0x85,0x44,0x61,0xaf,0x58,0xa9, + 0x29,0x4c,0x88,0xcb,0xfb,0x2a,0x63,0x99,0x76,0xb5,0x6e,0x47,0x48,0x02,0x6f,0x30, + 0x40,0xe2,0xfd,0x71,0x12,0xd6,0xad,0x44,0x50,0x06,0x89,0xac,0x77,0x7c,0x07,0x1d, + 0x17,0x39,0x19,0x69,0x76,0x2e,0x18,0x64,0x17,0xc4,0x40,0x0a,0xbd,0xda,0x5c,0x16, + 0xdc,0xe0,0x07,0x76,0x42,0xf1,0xfc,0x13,0x54,0xe0,0xe8,0xc1,0x4e,0x55,0x8c,0x92, + 0x3c,0x1b,0xfb,0x85,0x48,0x8b,0x83,0x50,0xf4,0x15,0x86,0x6a,0x60,0x87,0x1e,0xd7, + 0x15,0x1f,0x5f,0xbc,0x5b,0x88,0x05,0x00,0x01,0x19,0x77,0xc7,0x78,0xe1,0x7f,0xe8, + 0x91,0x8c,0x5d,0x34,0x3f,0x70,0xb0,0x0d,0x58,0xf7,0x18,0x95,0x61,0x25,0xfe,0x28, + 0xb3,0xa5,0xe2,0xd0,0x76,0x04,0xa2,0xb8,0xa8,0x77,0x20,0x44,0x34,0xce,0x90,0x3b, + 0x35,0xa0,0x30,0x93,0x6b,0xc7,0x19,0x51,0xca,0x59,0x3d,0xf9,0x7d,0x24,0xe8,0xe8, + 0xad,0x8f,0x2d,0xc9,0xb7,0x8f,0x76,0xef,0x13,0xa1,0xd3,0x86,0xca,0x85,0x7c,0xed, + 0x48,0xf1,0x9f,0x3e,0xbe,0x39,0x10,0x8f,0x9b,0x33,0xff,0x59,0xeb,0x05,0x56,0xb1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x23,0x7a,0x7e,0x44,0xb0,0xa6,0xc2,0x68,0xbb,0x63,0x36,0x4b,0x95,0x8a,0xe0,0x2b, + 0x95,0xe7,0xee,0xd3,0x6b,0x3e,0xa5,0xbf,0xb1,0x8b,0x9b,0x81,0xc3,0x8e,0x26,0x63, + 0xd1,0x87,0x14,0x4e,0x32,0x3f,0x9c,0xea,0xfb,0x47,0x95,0x07,0xd1,0x84,0xe6,0x3c, + 0xfb,0xec,0x3e,0xcd,0xbb,0x8a,0x05,0xd2,0xdf,0xc8,0x92,0x96,0x93,0xed,0x9e,0x3e, + 0x79,0xe5,0xf8,0xab,0xfc,0x41,0x7b,0xa1,0xe1,0x7e,0x3e,0x28,0x1e,0x8a,0x0a,0x32, + 0xf0,0x84,0x11,0x7f,0x28,0xc3,0xdc,0xbe,0xc5,0x1b,0x86,0xf5,0xc8,0x5b,0x28,0x22, + 0x44,0x1a,0x94,0x23,0xb5,0xb4,0x46,0xd3,0x92,0x8f,0x97,0x76,0x26,0xa3,0x34,0x57, + 0x9b,0x39,0xcf,0xaf,0x58,0xf2,0x14,0xc9,0x8d,0x0c,0xdf,0x64,0x0b,0xe1,0xac,0x59), + .s = chunk_from_chars( + 0xaf,0x07,0x6b,0xc2,0x13,0xca,0xf7,0x56,0x19,0xf4,0xbd,0x1d,0x78,0x7c,0xc1,0x98, + 0xf7,0xdf,0x33,0x24,0xa0,0xdd,0x87,0xa8,0x84,0x16,0xe0,0xa4,0xb8,0x1c,0x2f,0xb9, + 0xa9,0xdb,0x5f,0x98,0xae,0xd4,0x3b,0xc1,0x5f,0xe2,0x35,0x71,0x43,0xa6,0xe4,0xff, + 0x70,0x1d,0x9c,0x48,0xf5,0x1d,0xe9,0xeb,0x80,0x36,0x70,0xbb,0xc4,0xb0,0xae,0xa7, + 0x22,0x0b,0xe2,0xf8,0x4b,0x83,0x00,0x31,0x8c,0x77,0xa9,0xf6,0x15,0x98,0x6c,0x49, + 0x80,0xab,0xda,0x85,0xe3,0xad,0x00,0x89,0x56,0x4d,0xba,0xf7,0xf4,0x4d,0x81,0xb6, + 0x66,0x4e,0xec,0x03,0x11,0xad,0xb1,0x94,0xd4,0x6d,0xe9,0x6b,0xb1,0x7d,0x5a,0x5d, + 0x47,0x42,0x68,0x45,0x80,0x2c,0xa0,0xf4,0x9a,0x16,0x9e,0xb8,0x2b,0x75,0xaf,0xa1, + 0x91,0x02,0x7a,0x0c,0xc8,0xfc,0xe9,0xdd,0x16,0x05,0x53,0x50,0xdf,0x97,0x45,0xfc, + 0x72,0x00,0xff,0x9f,0x4e,0xa3,0xcf,0xbf,0xc6,0x6c,0x42,0x84,0x81,0x13,0xe3,0xbe, + 0x32,0x93,0xd5,0x10,0x38,0x2d,0x09,0x99,0xf0,0x32,0x51,0x55,0x27,0xbd,0x99,0xf6, + 0x6e,0xfa,0x2a,0x75,0x5e,0x01,0x12,0x47,0xb2,0x23,0xa6,0x8e,0x51,0x25,0x8b,0x6b, + 0xc3,0x19,0xa7,0xcd,0xef,0x4a,0xec,0x53,0x3e,0x9d,0xcd,0x8a,0xe2,0x6e,0x34,0x9e, + 0x5b,0x33,0xc7,0x91,0x21,0x90,0x7d,0xe5,0x09,0xa1,0xcb,0x83,0xc2,0xe5,0x9a,0x47, + 0xc1,0xa8,0x84,0xbf,0x68,0xe7,0x22,0x93,0x16,0xa6,0x2e,0x3c,0x49,0xd1,0xf5,0x42, + 0xeb,0xe7,0x10,0x5c,0xfc,0x27,0x09,0x92,0x68,0x12,0x0a,0x77,0x43,0x90,0x84,0x71), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xab,0x18,0x93,0x92,0x30,0xb0,0x96,0x64,0x6a,0x37,0xa7,0x81,0x62,0x9f,0xbd,0x92, + 0x70,0xf3,0x89,0x1a,0x5c,0xea,0xb4,0xa8,0xc3,0xbc,0x68,0x51,0xbc,0x34,0x11,0x5d, + 0xbc,0x06,0x65,0x41,0xb7,0x64,0xa2,0xce,0x88,0xcc,0x16,0xa7,0x93,0x24,0xe5,0xf8, + 0xa9,0x08,0x07,0x65,0x2c,0x63,0x90,0x41,0x73,0x3c,0x34,0x01,0x6f,0xd3,0x0a,0xf0, + 0x8f,0xed,0x90,0x24,0xe2,0x6c,0xf0,0xb0,0x7c,0x22,0x81,0x1b,0x1a,0xe7,0x91,0x11, + 0x09,0xe9,0x62,0x59,0x43,0x44,0x72,0x07,0xdc,0xd3,0xff,0xf3,0x9c,0x45,0xcb,0x69, + 0xee,0x73,0x1d,0x22,0xf8,0xf0,0x08,0x73,0x0c,0xe2,0xef,0xc5,0x3f,0x11,0x49,0x45, + 0x57,0x3e,0xa2,0xdd,0xeb,0xb6,0xe2,0x62,0xc5,0x27,0xd2,0x0f,0x8b,0xb1,0xdc,0x32), + .s = chunk_from_chars( + 0x95,0xbd,0x0b,0xf2,0x36,0x2f,0x34,0xb2,0xe0,0x40,0x75,0xb2,0x93,0x4f,0x40,0x47, + 0x98,0x70,0x3e,0xa4,0x72,0xb8,0x1a,0xc3,0xcc,0x22,0x3a,0xec,0x48,0x6e,0x4c,0x3d, + 0x9c,0x5d,0x1c,0x2f,0x9e,0xe2,0x24,0x17,0x13,0x29,0x64,0xed,0x58,0xe4,0x99,0x37, + 0xf5,0xb2,0x57,0xd3,0x16,0xca,0x7f,0xff,0xe2,0x90,0xb1,0x9f,0x5b,0x58,0x10,0x38, + 0x36,0x81,0x2b,0xef,0x30,0xca,0x03,0x27,0x03,0x9d,0x8b,0x9e,0xa9,0x12,0x95,0x39, + 0x2f,0xc3,0x94,0xb8,0x81,0xe2,0xd2,0xac,0x9e,0x30,0xc5,0xa4,0x42,0x56,0x70,0x0f, + 0xc9,0xde,0x0d,0xba,0x29,0x82,0x73,0xae,0xc3,0x0c,0x4f,0x77,0x8d,0x2e,0x71,0x27, + 0xe8,0xb8,0xa8,0x8b,0x02,0x74,0xfc,0xe0,0x40,0x81,0xcc,0x13,0xad,0xbe,0xfe,0x55, + 0x50,0x14,0xe1,0xb5,0xd5,0xdc,0xf6,0x22,0x4c,0x5a,0xe2,0x77,0x54,0x23,0xa6,0x6c, + 0x81,0x81,0x8e,0xec,0x01,0x4a,0x3f,0xaf,0x9e,0xe7,0x5a,0x3f,0x6c,0x3e,0x51,0xc5, + 0x56,0xb0,0xa2,0x88,0xe8,0xc2,0x62,0x94,0x66,0x84,0xeb,0x62,0x8b,0x88,0xe3,0xf8, + 0x75,0xe6,0x2e,0xf6,0xe8,0x01,0xca,0xe7,0x5f,0x61,0xce,0xe4,0x04,0x97,0x1c,0x39, + 0xd2,0x4a,0x97,0x12,0xeb,0x34,0x2d,0xdc,0x66,0x35,0x15,0xde,0xc1,0x03,0xb1,0x8d, + 0x97,0xd7,0x8e,0xd6,0x82,0x12,0xf2,0x79,0x00,0xe7,0x7c,0x04,0x9b,0x60,0xc8,0x53, + 0x00,0x2b,0x08,0x02,0x2d,0xf5,0x6f,0x70,0x7e,0xfa,0x71,0x02,0x75,0x89,0xe1,0xa3, + 0xca,0x6e,0x41,0x5b,0xa5,0xf4,0x43,0x7e,0x97,0x8b,0x07,0xaf,0x3b,0x73,0xba,0x0d), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa2,0x80,0xe8,0x9c,0xeb,0x2c,0x8c,0xf2,0x62,0x97,0x19,0x1b,0xaf,0x9a,0x95,0x5d, + 0x0d,0x52,0x37,0x5d,0xa0,0x23,0x63,0x3e,0x0a,0xfc,0xdb,0x0d,0x39,0xdc,0x33,0x5d, + 0x82,0x95,0x85,0x2e,0xf4,0xd0,0x67,0x14,0xe6,0x51,0x1a,0x95,0xd3,0x7c,0x04,0xd2, + 0x68,0x18,0x60,0x6a,0xda,0x54,0x35,0x9b,0x7d,0x07,0x84,0xaa,0x93,0x3c,0xc6,0x85, + 0x61,0xee,0x96,0xa8,0x89,0x10,0xaa,0x3d,0x93,0xd1,0x07,0x87,0xcd,0x1d,0x75,0x80, + 0x55,0x67,0x31,0xc1,0x74,0xa6,0xe3,0xa3,0x2d,0x9d,0xcf,0xa4,0x16,0x60,0x4f,0x0c, + 0x67,0x14,0x81,0xd0,0x51,0xf6,0x3d,0xb6,0x91,0x9f,0x4a,0xba,0x44,0x86,0xd1,0xb0, + 0xfd,0xc6,0x11,0x2c,0x15,0x21,0x55,0x9f,0x42,0x45,0x23,0xc2,0x6b,0x4f,0xb7,0x38), + .s = chunk_from_chars( + 0xcd,0x60,0xde,0x3b,0x4a,0x12,0x89,0xa8,0x4c,0xa7,0x61,0xf9,0x0f,0xa6,0x3f,0x4d, + 0x56,0x88,0xbd,0x88,0x5f,0x4b,0x53,0x1c,0x85,0x15,0xad,0xd2,0xde,0x12,0x51,0xf9, + 0x93,0xff,0x7f,0x98,0x6b,0xef,0x3f,0xba,0x69,0x2e,0xcd,0xeb,0xc8,0x19,0x42,0xd7, + 0x42,0x9c,0x7a,0x59,0xc5,0xd3,0xf1,0xfb,0x87,0x2f,0xc1,0xda,0x19,0x15,0xe9,0x45, + 0x86,0xa5,0xc3,0xd9,0x63,0x60,0x36,0x19,0x00,0x8f,0x7e,0xfe,0xde,0xd1,0xd7,0x0b, + 0x0a,0x11,0xce,0x2c,0xd8,0x1b,0x5b,0x0d,0x86,0xb3,0x76,0x0c,0x94,0x83,0x67,0x4f, + 0x55,0xe9,0xfa,0x47,0xf2,0xf3,0x10,0xd5,0x88,0xfb,0x21,0x60,0xe8,0xb5,0xc3,0x2b, + 0xe4,0xe7,0xa9,0x68,0xd5,0xa8,0xd4,0xac,0x65,0x76,0xb7,0x1a,0x2b,0x91,0xcd,0x6a, + 0xf0,0x01,0x6c,0xbc,0x81,0x6d,0x4a,0xae,0x8c,0x70,0x64,0x9e,0x08,0xdc,0xe9,0x0b, + 0x3c,0xe5,0x2a,0xb4,0x9c,0xe2,0xcb,0x5b,0x0e,0xd8,0xa4,0x5e,0x33,0xd9,0x4c,0xf2, + 0xd4,0xcf,0xde,0xe1,0x15,0x12,0x70,0xb2,0x07,0x3a,0xef,0xfe,0xaf,0x71,0x7d,0x39, + 0xe0,0x41,0x92,0xb8,0xb6,0x93,0xc5,0x3f,0x21,0xa6,0x12,0x38,0x13,0x28,0x08,0x06, + 0x92,0x0b,0x7d,0xc5,0x82,0x20,0x1c,0x9d,0x11,0x70,0x50,0x32,0x06,0x71,0xe8,0x61, + 0x39,0xa0,0x27,0x97,0x6b,0x7e,0xcf,0x41,0x33,0x69,0xa9,0xfc,0x28,0xe0,0xbd,0x71, + 0x9c,0xeb,0x5e,0x10,0x7d,0xe7,0x99,0xf1,0xbc,0x2e,0x25,0x5a,0x9f,0x29,0x47,0x6d, + 0x45,0x74,0xd1,0x33,0x2f,0x66,0x46,0x8a,0xfb,0x90,0x04,0xff,0x7b,0x53,0x53,0x02), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x85,0xed,0x1e,0x3d,0xfc,0xd5,0xbc,0xa2,0x4c,0xad,0x1d,0x01,0xeb,0xe1,0x92,0xb7, + 0xd0,0x59,0xec,0x9b,0x88,0x44,0x36,0xe1,0x87,0x14,0xa4,0x3f,0xbc,0xc9,0xc6,0x4f, + 0x68,0x73,0x01,0x35,0x2f,0xf2,0x40,0x81,0x70,0x01,0xe7,0x57,0xd2,0x73,0x09,0xcd, + 0x1f,0xbb,0xda,0x94,0x56,0xb2,0x67,0xdb,0xfb,0x95,0x84,0x70,0xb2,0x4d,0x06,0x28, + 0x0c,0xf4,0x33,0x82,0xa1,0x94,0x77,0x87,0x5f,0x32,0x59,0xf4,0x21,0x0b,0xac,0x9b, + 0x83,0x1d,0x0a,0x07,0xf5,0xe9,0x7e,0x5f,0x0f,0x78,0x81,0x8c,0x25,0x9c,0x28,0x9e, + 0x1a,0x78,0x9b,0x6c,0x79,0x42,0xc9,0x7b,0xc1,0x48,0x5a,0x22,0x01,0x31,0xe5,0xeb, + 0xa5,0x86,0x64,0x3b,0x90,0x71,0xe5,0x36,0x6b,0xc4,0x82,0xdd,0x3c,0x3c,0x92,0x79), + .s = chunk_from_chars( + 0x13,0x81,0x34,0xbb,0xec,0xef,0xaf,0xc7,0xca,0x8b,0x10,0x2c,0xbe,0x87,0xb0,0x12, + 0xf8,0xaa,0xda,0x88,0x78,0x99,0x50,0x02,0xcf,0x18,0x87,0x69,0x4b,0x5b,0xe3,0xb8, + 0xf0,0xbb,0x61,0x6b,0xc6,0xe0,0x79,0x62,0xd5,0x48,0x2d,0x3a,0x52,0xc5,0x2a,0xb9, + 0x1b,0x3e,0xe0,0x06,0x4d,0x24,0x55,0x8e,0x13,0xc7,0x5c,0x80,0xf6,0xa9,0x5b,0x7d, + 0xc4,0x98,0x44,0x28,0x79,0xd5,0xba,0xf8,0xff,0xa7,0xe2,0xf6,0x38,0x80,0x8b,0x97, + 0xff,0x70,0x13,0x6b,0xb6,0x45,0xe3,0x09,0x44,0xdd,0x97,0xa9,0x97,0xa0,0x20,0x51, + 0x69,0x55,0x3a,0x5b,0x9e,0x87,0x4c,0x5a,0x94,0x41,0xe1,0x8c,0x15,0xeb,0xed,0x76, + 0x04,0x3b,0x63,0x9d,0xfd,0x64,0xdb,0x79,0xe1,0x74,0x84,0x7a,0x10,0x27,0x24,0xa2, + 0xa0,0x5c,0x64,0x94,0x73,0xcc,0x7d,0xac,0xd3,0x9e,0x2e,0x1d,0x56,0x66,0xbb,0xb5, + 0xf0,0x12,0x46,0x74,0x70,0x48,0xff,0xfc,0xdf,0xcd,0xdf,0x78,0x2d,0xa2,0x4a,0x6d, + 0xcc,0x02,0x2b,0x26,0x95,0xf7,0x07,0x81,0xbd,0x9f,0x8f,0xf7,0xd0,0x3b,0xe2,0x2e, + 0xb8,0xfc,0x79,0x3f,0x5c,0x07,0x1a,0x66,0xd9,0xa6,0xea,0x46,0xc6,0xa2,0xcf,0x05, + 0x56,0x52,0x6b,0xa8,0xb0,0x85,0x07,0x35,0x46,0x44,0x80,0x81,0x73,0x2a,0xc1,0x5f, + 0x12,0x83,0x3c,0x1d,0xb1,0x70,0x1f,0xf7,0xf6,0x83,0x44,0xca,0x65,0xdf,0xf8,0x62, + 0x11,0xa0,0x03,0xad,0xbf,0x51,0x89,0xcf,0xae,0x79,0xea,0xa8,0xc8,0xb7,0x14,0x1e, + 0xa3,0x78,0xe4,0x4c,0xc9,0xc5,0xbf,0x02,0x4d,0x2c,0x71,0x0f,0xf5,0xcd,0x68,0xaf), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x0b,0xdb,0xa3,0x4e,0x35,0xfc,0xa6,0x5a,0x17,0x81,0xd4,0xd7,0xc9,0x33,0xa5,0xf2, + 0x10,0xd3,0xa5,0x94,0x83,0xae,0xbc,0x95,0xec,0x71,0xb3,0x2d,0xf1,0x3f,0xf4,0xab, + 0xf4,0x01,0x91,0x69,0x37,0xfd,0x88,0xff,0x44,0xab,0x46,0xb7,0x8c,0xc3,0x69,0x41, + 0x4e,0x9b,0xca,0xa8,0xba,0xb0,0xbb,0x85,0x57,0x82,0x8d,0x73,0xa2,0xa6,0x56,0xc2, + 0xf8,0x16,0xf0,0x70,0xb5,0xcb,0x45,0x54,0x9e,0x8e,0xca,0x9d,0x7c,0x0b,0x4a,0x7b, + 0x0a,0x27,0xe5,0x1c,0x11,0x93,0x58,0xda,0xd2,0xa1,0x7f,0xb3,0xa4,0x57,0x18,0xf9, + 0xde,0xc3,0xc9,0x4a,0xf7,0x8d,0x65,0xc3,0xec,0xd3,0x6b,0x71,0xe2,0x30,0xcf,0x08, + 0x0d,0x1e,0xfd,0xd8,0xd0,0x7f,0x1c,0xfc,0x26,0x76,0x8f,0xd5,0x40,0x7b,0xc2,0xb7), + .s = chunk_from_chars( + 0x9f,0x48,0xde,0xb9,0x6b,0xec,0x0b,0x72,0xfb,0xc4,0xf1,0x2f,0x08,0xaf,0xb4,0x6b, + 0xcc,0xf1,0x9d,0x9e,0x0c,0xd0,0x36,0x8e,0xbe,0xb3,0x12,0xd8,0x38,0x72,0x62,0x63, + 0x80,0xac,0x92,0x8b,0x61,0x2c,0x5c,0xd7,0x74,0x38,0xd4,0x7a,0xa9,0xce,0xea,0x90, + 0x5a,0x9d,0xe7,0x18,0x2c,0x8e,0xf7,0x6e,0x8a,0x7a,0x03,0xd6,0xef,0xec,0x84,0x00, + 0xb6,0x49,0x63,0x62,0xbf,0x6a,0x30,0xce,0xb1,0xce,0xd2,0x18,0x5f,0xc7,0xc2,0x11, + 0x7b,0x6a,0x6d,0x88,0x8a,0xc2,0x0c,0x16,0x87,0xb0,0xf2,0xaa,0x9b,0x76,0x70,0x5f, + 0xd3,0x15,0x48,0x89,0xb6,0xac,0xaf,0x4e,0x63,0xbe,0x25,0x88,0x0c,0x71,0xe6,0xc2, + 0x39,0xec,0xfb,0x96,0x50,0x04,0xcd,0x63,0x21,0x25,0x7f,0x84,0x6a,0xfd,0x2a,0x65, + 0x90,0xc7,0x2a,0xd8,0x31,0x46,0xee,0xfc,0x7b,0x0d,0xc4,0x79,0x63,0x39,0xa7,0xf6, + 0x4d,0xa0,0xfb,0xe3,0x59,0xf9,0x4a,0xce,0x1f,0xd1,0x51,0xc5,0xac,0x7b,0xb5,0x70, + 0x7b,0x32,0xea,0xcf,0x56,0x4f,0xe1,0x62,0x2e,0x66,0xe1,0x84,0x4e,0x63,0x96,0x02, + 0xca,0x36,0x27,0x4a,0xe0,0x1f,0x93,0xe6,0xb2,0xbd,0x1e,0xff,0xd3,0x4a,0xb6,0x3d, + 0x85,0x2c,0xc9,0xca,0xf3,0xce,0x84,0x46,0xc2,0x9c,0x8a,0xe3,0xc6,0x11,0x0f,0xb7, + 0x53,0x8c,0xc8,0x37,0x1c,0x2a,0x39,0x81,0x24,0x9c,0xdc,0x1b,0xe2,0xb2,0x4b,0x6a, + 0x0c,0x95,0x17,0x64,0xd0,0xb7,0xef,0xa9,0x2a,0x22,0xcd,0x8e,0xd1,0x65,0xe1,0x82, + 0x86,0x35,0x79,0x37,0x79,0x97,0xa9,0xee,0x50,0xc8,0xac,0x3a,0xa4,0xdf,0x1a,0xca), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x9a,0xee,0xd8,0x5b,0x40,0xba,0x7f,0x86,0xa2,0x28,0xb5,0xa1,0x51,0x5b,0xa1,0x90, + 0xb2,0xef,0xff,0x66,0x99,0x3a,0x5e,0xce,0x19,0xd1,0x8b,0xaa,0x9b,0x4e,0x4d,0xf9, + 0x2e,0x51,0x52,0xfe,0x1e,0xc5,0x6a,0x9f,0xc8,0x65,0xf3,0x0b,0xac,0x7e,0x94,0x9f, + 0xc4,0xf6,0x2f,0x0b,0x15,0x8d,0x10,0xb0,0x83,0x63,0x6b,0x4d,0xe9,0xbb,0x05,0xdb, + 0x69,0xfe,0x31,0xb5,0x01,0x03,0xfe,0xfc,0x5f,0x8d,0xaf,0x3a,0xf7,0x15,0x6b,0x45, + 0x52,0xca,0x36,0x67,0xa9,0xd7,0x20,0xbb,0xb2,0xe4,0xbc,0xda,0xba,0xdf,0xd4,0xb7, + 0xf4,0xfc,0x5b,0xc8,0x11,0xfa,0xa3,0x67,0x10,0xa9,0xd1,0x77,0x58,0xa9,0x8d,0x4a, + 0x04,0x74,0xfe,0xc2,0x7e,0x9e,0xf5,0xb7,0x4f,0x5c,0x68,0x99,0x35,0x44,0x23,0x57), + .s = chunk_from_chars( + 0x9e,0xec,0xdb,0xd7,0xfb,0xf6,0x18,0xdd,0xdd,0xfb,0x6e,0x75,0xd6,0x44,0x40,0xf6, + 0x04,0x45,0xb8,0x53,0xc5,0x42,0xfe,0x0f,0xba,0xaa,0x6a,0x43,0x12,0x94,0xe6,0xcb, + 0x66,0x83,0xae,0x1a,0x71,0xea,0x05,0x5e,0xb4,0x9c,0xd2,0xa3,0xcb,0x51,0x54,0xdc, + 0x93,0xd9,0xaa,0x16,0x63,0x99,0xf4,0xe6,0x29,0x4f,0x0e,0xb0,0x65,0x28,0x00,0xd7, + 0x1e,0x04,0x1c,0x1c,0xe1,0xad,0x84,0x9c,0x03,0xc9,0x63,0xbc,0x09,0x29,0xdc,0xdd, + 0x11,0xbe,0x5d,0x67,0xa0,0x50,0xd0,0x2b,0x64,0xb2,0x9e,0xab,0xa6,0x55,0x64,0x2b, + 0x64,0x36,0xfb,0xfb,0x16,0x36,0x90,0xbf,0x43,0x2f,0xdc,0xee,0xdd,0x10,0x6c,0x2f, + 0x49,0x72,0xec,0xbf,0x30,0x77,0xed,0x8b,0x75,0x3b,0xb6,0x05,0xec,0x1e,0xa0,0x30, + 0x20,0x83,0x9a,0x31,0x8a,0x24,0xf8,0xd4,0xc1,0xd7,0xd8,0xdf,0x99,0xa7,0xf0,0x01, + 0x0a,0xe4,0x1a,0x8b,0x06,0x8e,0x28,0x88,0x53,0x10,0x56,0xa7,0xda,0xbb,0xe9,0x21, + 0x87,0x8d,0xcd,0x3c,0x7d,0x69,0x41,0x68,0x67,0xf4,0x01,0x2a,0x60,0x6a,0xe8,0x68, + 0x55,0xf1,0x5a,0xed,0x0d,0xa1,0x25,0x0e,0x59,0x68,0x77,0x06,0xe8,0x9c,0x94,0x94, + 0xba,0xf3,0x7f,0x61,0xfb,0x17,0x03,0xb7,0x99,0x28,0x79,0x5f,0x90,0xcc,0xbe,0x29, + 0x3a,0x1e,0x94,0x72,0xf6,0xe0,0xf4,0xb8,0x90,0xfd,0xda,0x3e,0xa2,0x52,0x2e,0x3d, + 0x11,0xd5,0xab,0xdf,0x00,0x69,0x51,0x94,0x24,0xd1,0x47,0xb5,0x64,0x6a,0x5a,0x60, + 0x1f,0x19,0xec,0x89,0x72,0x9a,0x8b,0x48,0x46,0x1e,0x71,0xc0,0x8b,0xbe,0x9c,0xda), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x65,0x4e,0x18,0x9f,0x06,0xc7,0xd4,0x2d,0x55,0x39,0xa5,0x87,0x21,0x84,0xf8,0x33, + 0x6c,0xf1,0x00,0x69,0x1f,0x19,0x08,0x18,0xfd,0x02,0x08,0x2a,0xd6,0x8a,0x76,0x09, + 0xfd,0x09,0x5e,0x62,0xfc,0x32,0xb5,0x29,0x85,0x3a,0xeb,0xdd,0xac,0x3d,0xbf,0x0d, + 0x54,0xdd,0x57,0x1b,0xe7,0x2c,0x90,0x40,0x4b,0xcc,0x93,0xd0,0x11,0x54,0xa9,0xbf, + 0xef,0xf6,0x50,0x65,0x70,0x5f,0x8e,0x7e,0xea,0xdf,0x85,0x75,0xb1,0xca,0x48,0xe2, + 0x8a,0x1e,0xed,0x51,0x62,0x65,0xe3,0x45,0x40,0xdd,0x86,0x7c,0x79,0xd7,0xf1,0x75, + 0x23,0x5d,0x13,0x30,0xcb,0x17,0x06,0x35,0x6b,0x70,0x9b,0xd7,0x96,0xf4,0x3a,0xba, + 0xf6,0xfc,0xe9,0x93,0xf8,0x8e,0xaa,0x2f,0xc6,0x7f,0x0a,0xb7,0x76,0xda,0xf7,0x32), + .s = chunk_from_chars( + 0xaf,0x90,0x29,0x8b,0xce,0xf6,0x15,0x30,0x9f,0x23,0x5d,0x5c,0x33,0x60,0xf0,0xdf, + 0x11,0xf5,0xfb,0x98,0x87,0x89,0xf2,0x13,0xd4,0xc4,0x61,0x34,0xfe,0xe5,0xeb,0x10, + 0x4a,0xa1,0xfa,0xbb,0x13,0x07,0xc9,0xa9,0x04,0x70,0x9d,0xe8,0x86,0x73,0xed,0x99, + 0x51,0xcb,0xa9,0x31,0x67,0xc6,0x7c,0x09,0xd8,0x27,0x02,0x1b,0x08,0xa2,0x2c,0x05, + 0x05,0x82,0x8a,0xb4,0xbe,0xb4,0x2e,0x59,0xa3,0x88,0x32,0xcb,0x4d,0xa2,0x4e,0xcf, + 0x91,0xf4,0x70,0xa3,0xb4,0x12,0xc0,0x71,0x2a,0x8a,0x59,0xf6,0xf2,0x73,0x9d,0x4e, + 0x9e,0xb4,0xcc,0x58,0xd2,0xc5,0x25,0x92,0xf1,0x45,0x2d,0xc6,0x57,0x59,0xab,0xe4, + 0x3e,0x8d,0x2b,0xc8,0x04,0xe2,0xef,0xb3,0xef,0xc9,0xb2,0x3c,0xc1,0x73,0x4f,0xf7, + 0xca,0xef,0xa4,0x6b,0x03,0xba,0x4b,0x39,0x7d,0x07,0x14,0xcd,0xb8,0x50,0x1a,0x81, + 0x2c,0x1b,0x9f,0x47,0x41,0x1c,0x91,0xcb,0xa5,0x3a,0x3d,0x3b,0x13,0x9e,0xdb,0xd7, + 0xcb,0xb5,0x43,0xf5,0xbf,0x38,0x29,0xba,0x7f,0x5f,0xaf,0xd8,0xa7,0x12,0xc0,0xb1, + 0x11,0x94,0x3f,0x53,0x20,0x93,0x53,0xaf,0xab,0xa1,0x76,0xb3,0xf5,0xdc,0x06,0x03, + 0x39,0xd0,0x9b,0x1f,0xb3,0xc2,0x13,0xda,0xe5,0xd0,0xf0,0x04,0xd3,0x02,0x82,0x85, + 0x60,0xfb,0x5d,0xeb,0xf9,0xfe,0x49,0x1e,0xaa,0x66,0xf5,0x97,0xaa,0x4d,0xe2,0x3e, + 0xee,0xf9,0x17,0x63,0x58,0x75,0x5c,0x95,0x2e,0xf9,0x6e,0x36,0x72,0x58,0x3b,0x6e, + 0xcd,0x95,0xa0,0x2e,0x8c,0xa7,0xb2,0x1d,0x7c,0x20,0xcb,0xb7,0xa7,0x57,0xaf,0x71), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x12,0x1f,0x80,0xb4,0x3f,0x97,0x57,0xb3,0xfa,0x80,0x90,0x6a,0xea,0xb2,0x32,0x19, + 0x5f,0x0e,0x2c,0x41,0xe5,0xbf,0x8c,0x09,0x1a,0xc0,0xf1,0xe0,0xbc,0x9e,0x43,0x64, + 0x06,0x80,0xa1,0x82,0x3d,0x64,0x9b,0xdf,0x86,0xab,0xa2,0x77,0xfa,0xd8,0xbc,0x85, + 0xfc,0x95,0x7d,0xa2,0xca,0xf7,0x32,0x30,0x53,0x02,0x5f,0xf9,0x49,0x70,0x6c,0x14, + 0x76,0xae,0x9b,0x09,0x53,0x28,0x3d,0x34,0xd7,0xc6,0x26,0x6f,0x8d,0xb6,0x5e,0xeb, + 0xe9,0x6d,0x19,0x5f,0xdc,0xe8,0xe9,0x65,0xa6,0x38,0x33,0x20,0xec,0x3d,0xe0,0x23, + 0x0a,0xb2,0x54,0x8e,0xaa,0x69,0xa4,0x7a,0x96,0xd8,0x03,0x98,0xca,0xd5,0x7e,0x14, + 0xce,0x9e,0xea,0xc0,0x42,0x1c,0x1a,0x6e,0xba,0x69,0x55,0x9d,0xcd,0x8f,0x06,0x59), + .s = chunk_from_chars( + 0x06,0xa2,0xd7,0x45,0x85,0xf1,0x2e,0xa7,0xa8,0x05,0x27,0xb8,0xc6,0x35,0xa2,0x1c, + 0xc1,0x1b,0x45,0xdb,0xb0,0x88,0x5a,0x12,0x72,0x21,0x26,0x81,0x1d,0xd2,0x5d,0x65, + 0x7b,0xfa,0x9f,0xda,0x77,0x43,0x01,0xca,0x34,0x98,0xd0,0x5d,0xfd,0xfb,0x78,0xa6, + 0xaa,0x16,0xa9,0xf8,0xa9,0x5f,0x40,0xf1,0xf0,0x4b,0xd3,0x54,0xa5,0x22,0xf6,0xa2, + 0xd6,0x2b,0x32,0x4e,0xfa,0x3c,0x00,0x6c,0x22,0xc2,0x31,0x4b,0x01,0xfa,0x0e,0x91, + 0xa3,0xdb,0xa4,0x9a,0xa3,0x5b,0x46,0xb1,0x98,0x04,0xb0,0x7a,0xd9,0x8f,0xe4,0xbc, + 0x99,0x03,0x93,0xa4,0xa2,0x73,0xce,0x8f,0x1c,0x85,0xfc,0x19,0xcd,0x5e,0xae,0x9a, + 0xf0,0xb7,0xd1,0x95,0x7b,0xb2,0x34,0x09,0x77,0x8a,0x01,0x0b,0x00,0xc6,0x95,0x9e, + 0x1b,0x67,0x06,0x6f,0xdb,0x9f,0x84,0x95,0xb4,0xde,0x4d,0xcb,0xb9,0x87,0x35,0x81, + 0x45,0xb1,0xff,0x6a,0x39,0xef,0x6f,0xc5,0x88,0xcd,0xa1,0x74,0x4e,0x0a,0xb9,0xe7, + 0xeb,0x00,0x2c,0x29,0xa7,0x85,0x31,0xd2,0x51,0x57,0xc5,0xc2,0xcd,0x64,0x70,0x55, + 0x15,0x60,0xa0,0x28,0x45,0xdb,0x6d,0xbe,0xe2,0x42,0xf9,0x65,0xa2,0x55,0x40,0x6f, + 0x6e,0xf4,0x7b,0x32,0x21,0xa5,0x11,0x0e,0xdb,0x44,0xd3,0x8b,0x94,0x19,0x1a,0xea, + 0xf4,0x33,0xc0,0xec,0xe3,0x48,0x0b,0x9d,0x1b,0x06,0xd8,0xb8,0xb6,0xc0,0xa2,0x32, + 0xa0,0x4c,0x56,0x78,0x88,0xe6,0x37,0x2f,0x2e,0x94,0xbc,0x2b,0xe6,0xb8,0x27,0xf8, + 0x71,0x2a,0xf4,0x8c,0x6f,0x1e,0x4f,0x22,0x3f,0x55,0x28,0xfc,0xf3,0x48,0x79,0x9d), + }, +}; + +START_TEST(test_sign_pkcs15_2048) +{ + signature_scheme_t scheme = pkcs15_2048[_i].scheme; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + fail_unless(privkey_2048->sign(privkey_2048, scheme, NULL, pkcs15_2048[_i].m, &sig), + "sign %N", signature_scheme_names, scheme); + ck_assert_chunk_eq(pkcs15_2048[_i].s, sig); + fail_unless(pubkey_2048->verify(pubkey_2048, scheme, NULL, pkcs15_2048[_i].m, sig), + "verify %N", signature_scheme_names, scheme); + free(sig.ptr); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + signature_scheme_t scheme; + chunk_t m; + chunk_t s; +} pkcs15_3072[] = { + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xbc,0xf6,0x07,0x43,0x33,0xa7,0xed,0xe5,0x92,0xff,0xc9,0xec,0xf1,0xc5,0x11,0x81, + 0x28,0x7e,0x0a,0x69,0x36,0x3f,0x46,0x7d,0xe4,0xbf,0x6b,0x5a,0xa5,0xb0,0x37,0x59, + 0xc1,0x50,0xc1,0xc2,0xb2,0x3b,0x02,0x3c,0xce,0x83,0x93,0x88,0x27,0x02,0xb8,0x6f, + 0xb0,0xef,0x9e,0xf9,0xa1,0xb0,0xe1,0xe0,0x1c,0xef,0x51,0x44,0x10,0xf0,0xf6,0xa0, + 0x5e,0x22,0x52,0xfd,0x3a,0xf4,0xe5,0x66,0xd4,0xe9,0xf7,0x9b,0x38,0xef,0x91,0x0a, + 0x73,0xed,0xcd,0xfa,0xf8,0x9b,0x4f,0x0a,0x42,0x96,0x14,0xda,0xba,0xb4,0x6b,0x08, + 0xda,0x94,0x40,0x5e,0x93,0x7a,0xa0,0x49,0xec,0x5a,0x7a,0x8d,0xed,0x33,0xa3,0x38, + 0xbb,0x9f,0x1d,0xd4,0x04,0xa7,0x99,0xe1,0x9d,0xdb,0x3a,0x83,0x6a,0xa3,0x9c,0x77), + .s = chunk_from_chars( + 0xd1,0xd2,0x1b,0x8d,0xfa,0x55,0xf0,0x68,0x1e,0x8f,0xa8,0x61,0x35,0xcf,0x29,0x2d, + 0x71,0xb7,0x66,0x97,0x13,0xc2,0x91,0xd8,0xf8,0xdc,0x24,0x64,0x64,0xde,0x3b,0xbb, + 0x96,0x1b,0x59,0x6d,0xfc,0x8f,0xda,0x6c,0x82,0x3c,0x38,0x40,0x08,0xd0,0x5b,0xcb, + 0x3d,0xcc,0xc3,0x6a,0xcc,0xf1,0xb2,0xbe,0xde,0x1a,0x95,0xe5,0x22,0x58,0xd7,0xd1, + 0xbd,0xf1,0xfc,0x44,0xe1,0x80,0x72,0xab,0xd4,0x5c,0x13,0x92,0x01,0x5e,0xe7,0x16, + 0x92,0x69,0x0e,0xf8,0xcd,0xaa,0xed,0x33,0x7d,0xd8,0x54,0x67,0x83,0xf9,0x61,0xbb, + 0x96,0x20,0xeb,0x5c,0x7b,0x8b,0x67,0x16,0xe8,0xc6,0x00,0x35,0x1f,0xab,0x77,0x65, + 0xee,0x38,0xa1,0x5d,0x32,0xd8,0xa2,0xc0,0x94,0x98,0x25,0xc4,0x9a,0x7f,0x25,0xee, + 0xdd,0x9b,0xe7,0xb8,0x07,0xbb,0xfd,0x51,0x79,0x13,0x78,0x66,0x20,0xd2,0x49,0x82, + 0x3d,0xae,0x6f,0xe2,0xfd,0x39,0xac,0x63,0x9d,0xd7,0x48,0x21,0xb0,0xc1,0x20,0xb4, + 0x2f,0x31,0xc2,0xc6,0x39,0xd2,0xc6,0x1b,0x39,0x5f,0x09,0xf8,0x68,0x51,0xbc,0x80, + 0x9b,0x34,0xc4,0x98,0x1a,0xc6,0x5c,0xf2,0x5b,0x2e,0x8a,0xdc,0xbc,0xe1,0x90,0xef, + 0x2e,0xf6,0x7a,0x01,0x89,0x03,0x9c,0x91,0x10,0xf2,0x67,0x01,0xc3,0xee,0xd7,0x31, + 0xc8,0xd9,0xea,0xd1,0x78,0x22,0x0f,0xfc,0xac,0x7f,0x0f,0x67,0x8a,0xa2,0x22,0x68, + 0xe1,0xd0,0x19,0x42,0xec,0x51,0xe8,0x0e,0xef,0x06,0xe2,0x11,0x28,0x30,0x85,0x5e, + 0x87,0xba,0xfe,0x8c,0xc9,0xc2,0x2f,0xd7,0x37,0xc7,0xab,0xbc,0xa5,0xeb,0x7a,0x22, + 0x1d,0x38,0x35,0xa8,0x66,0x10,0xd2,0x4b,0x50,0x7b,0x5d,0xcb,0x46,0x18,0xaa,0x42, + 0x1f,0x63,0xa5,0x60,0x9e,0xf5,0xd6,0x8f,0x57,0x60,0xfd,0xdf,0x97,0x01,0x35,0x60, + 0x2e,0xfa,0xd0,0x85,0x1b,0xbf,0xf9,0x8f,0xe8,0x7f,0xa5,0x8b,0xc3,0x65,0xf3,0x8e, + 0xe7,0xec,0x8e,0xf5,0xaa,0xb1,0x7f,0xd1,0x1d,0x89,0xd9,0x1e,0xf4,0xc6,0x04,0xe0, + 0xd1,0xf0,0x01,0xd0,0xe0,0x88,0x69,0xdf,0x92,0x25,0xe3,0xb4,0xce,0xf5,0x2f,0xf8, + 0x68,0x15,0xe1,0x3b,0x3e,0xfd,0xf4,0x57,0x76,0xf9,0x35,0x37,0x69,0xa8,0xa5,0x1f, + 0xe7,0xd8,0x91,0xa7,0xef,0x70,0x35,0xee,0xcf,0xa2,0x59,0x84,0x87,0x38,0x37,0x68, + 0x86,0xed,0xc9,0x1c,0xc7,0x8f,0x6d,0xa3,0x1c,0x2f,0x07,0xee,0x36,0x2c,0x3d,0x82), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x2b,0xca,0xd6,0xe7,0x44,0xf2,0x49,0x0b,0xa6,0xa6,0xe0,0x72,0x28,0x32,0x41,0x7e, + 0xbd,0x91,0x0f,0x91,0x46,0xeb,0x62,0xba,0xaa,0x5c,0x74,0x95,0x29,0xf7,0x9d,0x6c, + 0xed,0x0b,0x81,0xa2,0xe2,0xa4,0x88,0x52,0xc8,0x55,0x8e,0x33,0x87,0x35,0xdc,0xbf, + 0xc2,0x28,0x57,0x94,0xae,0x60,0xf8,0x1a,0x25,0x23,0x7c,0x66,0xf6,0xce,0x5d,0x5e, + 0x80,0x1a,0x00,0x1e,0x7f,0x9e,0x30,0x9b,0x25,0x95,0xcb,0x86,0x6d,0xe2,0xbb,0x74, + 0xac,0x51,0x28,0x3b,0x68,0x20,0xec,0x9f,0x6e,0xbe,0x48,0x2e,0x1f,0xd2,0xd5,0x68, + 0x0b,0x7f,0xbd,0x23,0xc1,0xe6,0x2a,0x2e,0xe4,0xed,0xff,0x35,0x82,0x3f,0xc7,0xe4, + 0xa2,0x95,0xea,0x4f,0x1c,0x33,0x27,0x92,0xae,0xb5,0x3e,0xb4,0x4b,0x0b,0xed,0xd2), + .s = chunk_from_chars( + 0x37,0xd9,0x60,0xfe,0x39,0x12,0x98,0xbb,0xdc,0x22,0x3f,0xa1,0xeb,0x1d,0x3c,0xd9, + 0xa4,0x6b,0xa8,0xc6,0x2e,0x1d,0xa8,0xc5,0x63,0xc8,0x9a,0x8f,0x0e,0x67,0xb8,0x64, + 0xfc,0x89,0x83,0x7f,0xfc,0x08,0xaa,0xb7,0x12,0x2b,0x84,0xc4,0x35,0xc7,0xf9,0x40, + 0x6e,0x16,0x5a,0x10,0x29,0x85,0x7c,0x1e,0x4d,0xea,0x65,0x35,0x69,0x27,0x72,0x73, + 0xb1,0xd9,0xb0,0xa9,0xf5,0xb0,0xdc,0x24,0xaf,0xdd,0x21,0x44,0x76,0xd4,0x72,0x08, + 0xad,0x52,0x21,0xa7,0xd7,0x93,0xca,0xb8,0x06,0x71,0xfb,0x49,0x87,0xc8,0x6b,0xd6, + 0x14,0x48,0x80,0xc5,0x9d,0x24,0x87,0x14,0x00,0xf6,0x4b,0xdc,0x6d,0x49,0x6d,0xbd, + 0x49,0x7f,0x3d,0xbf,0x64,0x28,0x64,0xfe,0x49,0xaf,0x3e,0x21,0x51,0x5e,0x62,0xd6, + 0x0f,0x00,0x71,0xdb,0x48,0x84,0xf4,0x96,0x70,0xea,0xa9,0xe4,0xe4,0x98,0x2f,0x26, + 0x9a,0xbe,0x72,0x42,0x44,0x28,0x88,0x59,0xc2,0xad,0xf6,0x0a,0x09,0xfa,0xaa,0xbb, + 0x07,0x99,0x0e,0x09,0xe5,0x6d,0xe2,0x54,0xba,0xbb,0xee,0x14,0xbe,0x7e,0xb6,0xed, + 0xa0,0xcd,0xb2,0x2f,0x3d,0x0d,0xe8,0x72,0x48,0x04,0x67,0x3f,0xb9,0x9f,0x86,0xef, + 0xb4,0x26,0x3d,0xcc,0x50,0x17,0xab,0xc9,0x1b,0xd9,0xcd,0x83,0x36,0x79,0x47,0x5b, + 0xfa,0xc5,0x0a,0x2b,0xe8,0xdb,0x86,0x29,0x6b,0xbf,0x80,0x17,0x88,0x93,0x57,0x37, + 0x13,0x14,0x60,0x4e,0x83,0xd6,0x8b,0x6e,0xfe,0xcd,0x4b,0x79,0xf0,0xa8,0xaf,0xa0, + 0xdf,0xfa,0x44,0x8f,0xb7,0xfc,0xe6,0xd3,0x44,0x70,0x9a,0x67,0x0e,0x0c,0xff,0x43, + 0x2c,0x3e,0x18,0x7b,0xcf,0xf7,0xfd,0xc4,0xf4,0xe9,0xab,0xe1,0x09,0x5c,0x46,0xb0, + 0x1d,0x88,0xb6,0x04,0x4b,0xb9,0x50,0xe9,0x28,0x59,0x01,0x0d,0x9a,0x0e,0x3b,0x2d, + 0x1f,0x27,0xa0,0x96,0xea,0xca,0xa2,0x42,0x63,0xa2,0xa0,0x52,0x3d,0x6e,0x0d,0xa1, + 0xfb,0xa8,0xaf,0x76,0x81,0x96,0xf7,0xa5,0x1f,0x92,0xfd,0xf1,0x52,0xbe,0xf0,0x62, + 0xdd,0x1f,0x83,0x27,0xce,0xe1,0xd3,0x44,0xc2,0x00,0xc2,0x11,0x5a,0xc6,0xec,0x1d, + 0xd8,0x51,0x4c,0xef,0x9e,0x36,0xd0,0xce,0x8c,0x32,0xe5,0x87,0x83,0xc4,0xfc,0xba, + 0x90,0x1a,0xa7,0x0c,0x2b,0x42,0x96,0x64,0x88,0x00,0x2f,0xf1,0x71,0xd3,0x64,0x14, + 0xa1,0x44,0xbf,0x46,0x77,0x51,0x83,0xa8,0x81,0x5d,0xe9,0xee,0x3e,0x81,0xf3,0x1b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xc3,0x97,0x8b,0xd0,0x50,0xd4,0x6d,0xa4,0xa7,0x92,0x27,0xd8,0x27,0x0a,0x22,0x02, + 0x95,0x34,0x82,0x87,0x59,0x30,0xfb,0x1a,0xea,0xe4,0xe6,0x7f,0x87,0xe7,0x94,0x95, + 0x28,0x9d,0xe2,0x93,0xb4,0xa4,0x0d,0x92,0x74,0x6f,0xc8,0x4c,0xc8,0x31,0x8c,0x23, + 0x18,0xfd,0x30,0x65,0x0e,0x2b,0xb9,0xce,0x02,0xfd,0x73,0x4e,0xb6,0x83,0x41,0x0d, + 0x44,0xbb,0x31,0xad,0x54,0xfd,0x53,0xcf,0x92,0x96,0xcc,0xd8,0x60,0xb4,0x26,0xf5, + 0xc7,0x82,0xea,0x5c,0xb4,0x93,0x71,0xd5,0x61,0x84,0xf7,0x79,0x11,0xdd,0xf1,0xba, + 0x00,0x39,0xa0,0xa4,0x9a,0xa7,0xe7,0x63,0xeb,0x4f,0x5a,0x04,0x57,0x59,0x97,0x80, + 0x8b,0x0a,0xd9,0xf6,0xb3,0x30,0xca,0x38,0xed,0xc1,0x99,0x89,0xfe,0xbf,0x4d,0xa5), + .s = chunk_from_chars( + 0x9a,0xed,0x20,0xa8,0xbd,0xaf,0x26,0xf1,0xf1,0x19,0x02,0x0d,0x8f,0x3e,0xa6,0xce, + 0x91,0x51,0x38,0xd4,0xc8,0x7d,0xce,0x02,0x5e,0x7f,0x4e,0x49,0x53,0x6c,0x8e,0xc0, + 0x79,0xed,0xc6,0xca,0xf0,0xd6,0x03,0xbf,0x42,0xbd,0x6a,0x45,0x4a,0x6d,0x52,0xd0, + 0xd9,0x9f,0xd0,0xf5,0x9f,0xfb,0x3b,0x22,0xe9,0xe6,0x7b,0x3d,0x0b,0xb2,0xd2,0x75, + 0xd9,0xae,0xdc,0x6d,0xa9,0x6a,0x72,0xcb,0xff,0x35,0xc4,0x3e,0x7f,0x39,0xa9,0x96, + 0xfa,0x8a,0x6d,0x33,0x8a,0x07,0x25,0xf7,0x85,0x25,0x4f,0xe9,0x1a,0x20,0x83,0x4b, + 0xa5,0x57,0xfe,0xdf,0xe7,0x15,0x2b,0x99,0x56,0xfe,0xdd,0xfd,0x94,0x17,0x41,0xef, + 0xf9,0x17,0x7c,0x2f,0xbb,0x55,0xe2,0x00,0xbb,0xe4,0x21,0x62,0xb3,0x2a,0x94,0x0c, + 0xc3,0x00,0xab,0x37,0x55,0x57,0xdf,0xfd,0x48,0xdf,0xa5,0x39,0xf5,0x0e,0xdd,0x52, + 0xdf,0x15,0x8d,0x90,0x72,0xd1,0x49,0x82,0xe9,0x63,0x03,0xbc,0x61,0x2c,0x2c,0x25, + 0x06,0xdb,0xca,0x3a,0x93,0x9d,0x62,0x6d,0x2e,0x7f,0xb4,0x44,0xc6,0xad,0x7d,0x8d, + 0x9f,0x3b,0xba,0x82,0x10,0xb2,0xac,0x2f,0x69,0x67,0x83,0xc3,0x49,0xfc,0x52,0x80, + 0xc1,0x05,0x40,0x2a,0x4b,0x3d,0x86,0xbe,0xf5,0x02,0x6c,0x3d,0xd9,0x99,0xe3,0xb2, + 0x23,0x80,0xf9,0xdc,0xce,0x40,0xe3,0xa9,0xcc,0x9f,0x1d,0x7b,0xc3,0x8e,0xf3,0xdd, + 0x7e,0x94,0x13,0xbb,0x57,0x98,0x00,0xc0,0xe6,0xc3,0xe9,0xab,0x91,0x2d,0xa8,0xfe, + 0xc1,0xa4,0xab,0x21,0x39,0x8e,0x96,0x80,0xba,0x0d,0x04,0xf3,0xb4,0xc8,0xd5,0x3c, + 0x02,0xf0,0x5c,0x7a,0xe4,0x9b,0x70,0xa5,0x61,0x1c,0xf8,0x2e,0x38,0xde,0x84,0xaa, + 0x8c,0x24,0x26,0xf0,0xb6,0x3e,0xa0,0x1b,0x28,0x9f,0x20,0x1d,0x3a,0xf4,0x0d,0xad, + 0x5d,0x6e,0x5b,0xcc,0xc7,0x5b,0x99,0x59,0xe5,0xc9,0x75,0x8e,0x79,0x10,0x5a,0xf7, + 0xa9,0xaf,0xb1,0x2a,0xee,0x57,0x7c,0xb3,0x99,0x18,0x79,0xdb,0x0f,0xd8,0x66,0x2c, + 0x5b,0xc4,0x90,0x22,0x75,0x24,0x98,0xa3,0x01,0xd9,0x5f,0x4b,0x1d,0x08,0xc0,0x1e, + 0xbc,0x31,0x3f,0x89,0xc0,0x0b,0x1e,0xc2,0x73,0x5a,0x07,0x98,0x3f,0xd5,0x28,0xe6, + 0x38,0x82,0x45,0x03,0x6f,0x0e,0xd4,0xa2,0xdb,0xb6,0x5d,0xd3,0x3a,0xb7,0xf1,0x24, + 0xc0,0x14,0xec,0x16,0x79,0xf1,0xc2,0xf1,0x1e,0xdf,0xfb,0x93,0xfa,0x2d,0x1d,0x73), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0c,0x11,0x95,0x02,0xc2,0xa0,0x19,0x20,0xa0,0x90,0xe4,0x33,0x57,0xe7,0xb2,0x8e, + 0x33,0xc7,0xee,0x85,0x8b,0x43,0x30,0xe0,0x5c,0x71,0x04,0x89,0x31,0xc0,0xed,0x88, + 0x46,0x8c,0xa9,0x31,0xec,0xf0,0xb7,0x9c,0x2f,0xdc,0x17,0x56,0xb7,0x67,0x51,0x56, + 0xec,0x66,0xb8,0x33,0x5e,0x3d,0xf0,0x94,0x63,0xf5,0xae,0xe7,0x02,0x8f,0xbf,0x56, + 0x0f,0x98,0x4c,0xf6,0x98,0xfe,0x5c,0x42,0x80,0x22,0x9a,0xc9,0x6a,0x2e,0x59,0x23, + 0xd8,0xa9,0xd5,0x29,0x94,0x49,0xbb,0x66,0x50,0x08,0xec,0xc8,0x89,0x79,0x7e,0x9b, + 0xb1,0x5d,0x04,0xb8,0x8c,0x72,0x10,0xfa,0xdb,0x8b,0xf6,0xf2,0x38,0xe5,0xd2,0xdc, + 0x41,0xb9,0xcc,0xd1,0xf8,0x0e,0x9a,0x3e,0x6a,0xd1,0x47,0x94,0x8f,0x27,0x33,0x41), + .s = chunk_from_chars( + 0x8a,0xbf,0x2a,0x30,0x77,0x4e,0x6e,0x73,0x38,0xec,0xa0,0x9c,0xcc,0xac,0xa3,0x68, + 0x43,0x99,0x94,0x04,0x92,0xfb,0x94,0xb2,0x3b,0x5a,0xd6,0x2c,0xe3,0xe1,0x1d,0x2d, + 0xbe,0xf8,0x96,0x6b,0xa5,0x26,0x99,0x79,0xeb,0x96,0x53,0xba,0xad,0x71,0x95,0x16, + 0xd3,0xe8,0x39,0x90,0x79,0xa2,0xf6,0x70,0x27,0x5a,0x2e,0xd4,0x2c,0x82,0x0a,0x9a, + 0x31,0xfc,0xd7,0x03,0xa7,0x66,0x37,0xe0,0xd7,0x13,0xf3,0x2d,0x79,0x2b,0x9a,0xe3, + 0x6d,0x72,0x88,0xf6,0x0c,0x2d,0x1a,0xe5,0x26,0x83,0xbb,0x15,0x94,0x1b,0x1c,0xd8, + 0x90,0xd2,0xcd,0x64,0x99,0x8b,0x77,0x25,0x85,0xe7,0x60,0x32,0xa1,0x70,0x2e,0x06, + 0x52,0xcb,0xf2,0x59,0xa1,0xce,0xae,0x69,0x5d,0x40,0xcf,0x2f,0x4f,0x6d,0x81,0x34, + 0x1c,0x8b,0xc9,0x08,0x2c,0xb9,0x6c,0x75,0x2c,0x35,0x5d,0xfb,0xe2,0x96,0xdd,0x21, + 0xd6,0x98,0x46,0xfa,0x37,0x61,0x3e,0x73,0x81,0x7b,0x2a,0x07,0x04,0x66,0x58,0xc9, + 0xe3,0xfc,0x6d,0x09,0x1e,0x17,0x59,0x1b,0xb1,0xa4,0xfb,0x6e,0x2a,0xc0,0x0a,0x31, + 0x94,0xc1,0x48,0x8e,0x16,0xa9,0xd2,0x90,0x37,0x86,0xdb,0x86,0xae,0x90,0xe9,0x6a, + 0xcb,0x4d,0xe9,0x90,0x1a,0xaf,0x1b,0x06,0x51,0xfb,0x76,0xa5,0x8d,0xcb,0x3d,0xb4, + 0x73,0xef,0xbf,0xb8,0x31,0xef,0x8e,0x30,0xf8,0x99,0x67,0xdd,0xd3,0xa6,0xc2,0xf1, + 0x89,0x79,0xa0,0x45,0x06,0x57,0xcd,0xae,0xef,0x6e,0x59,0x37,0x7c,0x6d,0xb1,0xec, + 0x46,0x06,0x5f,0x61,0x40,0x24,0xa6,0x9c,0x51,0x8a,0x55,0x99,0x42,0x59,0x4a,0x46, + 0x26,0x6e,0x0d,0x3c,0xa1,0x33,0x42,0x96,0xb9,0x68,0xa2,0x3a,0x4b,0x11,0xc6,0x3a, + 0x97,0xe2,0x9e,0xb1,0x6b,0x24,0xc0,0x2d,0x54,0x5d,0x5b,0x42,0x7e,0x6a,0xa5,0x85, + 0x33,0x33,0x18,0xe6,0x3a,0x20,0x45,0x24,0xe0,0xe4,0x2a,0xc1,0xed,0xb7,0x0d,0x34, + 0x56,0x78,0x0d,0xbe,0xad,0x31,0xf7,0x85,0xf0,0xb2,0xa7,0x7f,0xfe,0xb0,0xd3,0x73, + 0x84,0xcb,0x5f,0x65,0xb4,0xe3,0x6c,0xa2,0x41,0xf3,0xb2,0xb0,0x59,0x10,0x5f,0xaa, + 0xa3,0x22,0x2d,0x6c,0x13,0x5e,0xa5,0xa3,0x66,0x51,0xae,0xa3,0x96,0xd2,0x2f,0xc4, + 0xea,0x1b,0x40,0x4d,0x7e,0x83,0x4b,0x6d,0xf1,0xfb,0x83,0x8b,0xb5,0xba,0x0d,0x78, + 0x4a,0x96,0xe2,0xae,0x28,0x43,0xdb,0x3e,0xee,0xa4,0x96,0xc7,0xad,0x2b,0x42,0x41), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xdd,0xbd,0x84,0x68,0xbd,0xb0,0x36,0xf4,0x79,0x9f,0x42,0x8b,0xc8,0xb4,0x37,0x4e, + 0xd9,0xb7,0xcd,0xe5,0x41,0x33,0x7a,0xc4,0x39,0xd4,0x41,0xac,0x06,0x14,0xcb,0x75, + 0xb8,0x16,0xb8,0x0c,0x17,0xd2,0x37,0xb8,0xdb,0x73,0xd4,0xa1,0x1b,0xfd,0x92,0x92, + 0x08,0x33,0x3a,0xfe,0xdb,0xb8,0xf2,0x41,0x0c,0x74,0x11,0x29,0xc5,0x39,0x32,0xb5, + 0x96,0xa7,0x88,0x1c,0x6a,0x4d,0x71,0x11,0xba,0x10,0x4d,0x46,0x00,0xd1,0x90,0x2f, + 0x6f,0x4a,0x16,0x08,0xe1,0x39,0xb7,0x19,0x11,0xc1,0x1c,0x39,0x0a,0x0d,0xd0,0x91, + 0xdf,0x36,0x9a,0xa2,0x9d,0x67,0x0b,0x8a,0x7e,0x3f,0x53,0x82,0x5f,0x76,0x59,0xac, + 0x74,0xc4,0x0a,0x0c,0x3b,0xfe,0xf0,0xd3,0xae,0x83,0x07,0xe4,0xbd,0xd6,0xcd,0x91), + .s = chunk_from_chars( + 0x4e,0x37,0x7e,0x24,0x59,0x81,0x5d,0x5b,0x33,0x91,0x5f,0xa6,0x3c,0xd4,0x77,0xb5, + 0xbe,0x7c,0x6b,0x7f,0x78,0x14,0xd1,0x35,0x00,0x34,0xce,0x71,0x0b,0xe6,0x7e,0xd6, + 0x91,0x39,0xdb,0x62,0x2e,0xf6,0x0e,0xc6,0xb7,0x63,0x8e,0x94,0xb2,0x02,0x36,0x8b, + 0xac,0x63,0x1e,0x05,0x77,0x02,0xb0,0xe6,0x48,0x7b,0x32,0x4a,0x6b,0x98,0xed,0x7e, + 0x03,0xd1,0xf3,0xf2,0x0a,0x98,0x14,0xb0,0x0e,0x21,0x7a,0x46,0x48,0xe4,0xbb,0xc4, + 0x49,0xa2,0xaf,0x40,0x5c,0xa4,0xb5,0x9f,0x84,0x38,0xdd,0xfd,0x75,0xd3,0x4d,0x10, + 0x64,0xe5,0x8b,0xfb,0x32,0x5c,0x55,0xbd,0x54,0xea,0x6c,0xdf,0x77,0x12,0xba,0x80, + 0x7c,0x3e,0x4c,0x66,0x5d,0x62,0x0c,0xd5,0x95,0x13,0xd7,0xbc,0x08,0x55,0x24,0x7e, + 0xb6,0x70,0xec,0xc2,0x92,0x50,0x96,0x61,0x81,0x27,0x02,0x70,0x32,0x75,0xd9,0xb2, + 0xf8,0x7e,0xf2,0x79,0xd7,0x70,0x0e,0x69,0xd9,0x95,0xdb,0x98,0x14,0x4a,0x14,0xc8, + 0x17,0x74,0xa4,0xcd,0x89,0x0e,0xc0,0x3d,0x13,0xf8,0x58,0xf3,0x76,0x9e,0x50,0x48, + 0xed,0x55,0xca,0xa8,0x12,0x01,0xe8,0x78,0x5d,0x37,0x71,0xce,0x6d,0xa5,0x11,0x75, + 0xd0,0x17,0xd2,0x11,0xfa,0x70,0x37,0x94,0x41,0x6f,0x46,0x9b,0x11,0x29,0xd7,0x31, + 0xab,0xde,0x74,0x4d,0xa5,0xb2,0xfa,0xcd,0x7a,0x9b,0x09,0x3d,0x6c,0x97,0x43,0x50, + 0x9b,0x01,0x03,0xba,0xb9,0xc8,0x1c,0x6e,0x5f,0x38,0xbc,0x97,0x18,0xe3,0xe4,0xfa, + 0xa8,0x64,0x75,0xd1,0x37,0x25,0xa8,0x29,0xac,0x61,0xdf,0x8d,0x15,0xf0,0xb2,0x7c, + 0xb4,0x0d,0x0e,0xba,0x0b,0x24,0x6b,0x9c,0x36,0x0b,0x56,0x9b,0x81,0xb3,0xab,0xf3, + 0x80,0xee,0xc2,0x74,0x92,0x31,0x6b,0xc2,0x92,0xe5,0x15,0x0e,0xe0,0x60,0x72,0x19, + 0xa2,0xbd,0x80,0xba,0x98,0x4c,0x7e,0x3f,0x19,0x89,0xbc,0x51,0xe4,0xc5,0xda,0x3a, + 0xe5,0x07,0x06,0x76,0xe0,0xc1,0x50,0xd0,0x37,0xa8,0x6a,0x0f,0x91,0xbf,0xc0,0x7c, + 0xde,0x64,0xc1,0x9f,0x9c,0x7a,0x7a,0xf4,0x4d,0x69,0x29,0x97,0x00,0x41,0x44,0x8d, + 0x3b,0x17,0xc2,0x49,0xd5,0xe0,0xb5,0x86,0x2e,0x9a,0x25,0x20,0x9e,0x8f,0x97,0xd7, + 0xa0,0xf0,0x30,0x18,0x15,0x04,0xfe,0xad,0x22,0x66,0xc8,0x73,0xfd,0x23,0x59,0x83, + 0xdf,0x3d,0x06,0x57,0xb9,0x20,0x96,0xe2,0xb4,0x90,0xdf,0x33,0xca,0x11,0x57,0x33), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xf9,0x96,0xf3,0xad,0xc2,0xab,0xa5,0x05,0xad,0x4a,0xe5,0x2b,0xc5,0xa4,0x33,0x71, + 0xa3,0x3d,0x0f,0x28,0xe1,0x95,0x0b,0x66,0xd2,0x08,0x24,0x06,0x70,0xf3,0x52,0xef, + 0x96,0x18,0x5e,0x9a,0x70,0x44,0xf4,0xce,0x2f,0x2f,0xf9,0xae,0x01,0xa3,0x1e,0xf6, + 0x40,0xe0,0xb6,0x82,0xe9,0x40,0xc5,0x10,0x51,0x17,0x59,0x46,0x13,0xdd,0x1d,0xf7, + 0x4d,0x8f,0x2b,0xa2,0x0c,0x52,0x22,0x3b,0x04,0x5a,0x78,0x2e,0x85,0x0a,0x12,0xa2, + 0xaa,0x5c,0x12,0xfa,0xd4,0x84,0xf1,0xa2,0x56,0xd0,0xcd,0x08,0x72,0xd3,0x04,0xe8, + 0x85,0xc2,0x01,0xcd,0x7e,0x1e,0x56,0xd5,0x94,0x93,0x0b,0xb4,0x39,0x21,0x36,0xfb, + 0x49,0x79,0xcc,0x9b,0x88,0xaa,0xb7,0xa4,0x4b,0xfc,0x29,0x53,0x75,0x1c,0x2f,0x4c), + .s = chunk_from_chars( + 0x30,0xb3,0x48,0x62,0x4f,0xaa,0x99,0x85,0xfc,0xd9,0x5f,0x9c,0x7e,0xad,0x3a,0xfe, + 0x64,0x56,0xba,0xdf,0x8c,0x0f,0xed,0xbd,0xad,0xb3,0xa9,0x00,0x3a,0x67,0x02,0x97, + 0x3a,0xcd,0xb4,0xe8,0x66,0x52,0x36,0x7d,0xb2,0x3e,0x0a,0x81,0x41,0x88,0x0d,0x66, + 0x31,0x83,0x4f,0x9f,0x17,0x1c,0x94,0xa8,0xfe,0x9c,0x31,0x5b,0xcb,0x86,0x80,0xec, + 0xfb,0x5a,0x4f,0x59,0xb4,0x5d,0x4e,0x4c,0x3c,0x05,0x82,0x8b,0x7f,0xaa,0xa8,0xe4, + 0x23,0x4a,0xad,0xa4,0xe7,0x66,0x64,0x6c,0xc5,0x10,0xd0,0x7b,0x42,0xbd,0x38,0x83, + 0xa8,0x3b,0x5b,0xcb,0x92,0xd9,0xe7,0xcc,0x1d,0xdf,0x59,0x0a,0x69,0x01,0x11,0xbf, + 0xc6,0x2a,0x51,0xaf,0x7e,0x55,0x54,0x3e,0xa5,0x18,0x8c,0x92,0x45,0x3d,0x41,0xd3, + 0xe8,0xfd,0xab,0xee,0x3e,0x1d,0xef,0xa9,0xd0,0xaf,0xdb,0x85,0xc8,0x15,0x3a,0x50, + 0x19,0xae,0x45,0x56,0x3e,0xa3,0x08,0x0a,0x30,0x22,0x66,0x81,0x68,0xf0,0xc2,0x73, + 0xa6,0xdb,0x1a,0xfa,0xdc,0xd5,0xed,0xbc,0xa5,0x02,0x1c,0x2e,0x53,0xf4,0xd9,0x51, + 0xc6,0x04,0x20,0x6a,0xe1,0x0f,0x28,0x7f,0x45,0x18,0x67,0x27,0x1d,0x37,0x04,0x82, + 0x79,0x1c,0xdf,0xdc,0xb6,0xa4,0x01,0x0f,0x6b,0x3d,0x9b,0x92,0x85,0x63,0xd1,0x68, + 0xda,0x19,0xf1,0xc1,0xe5,0x70,0xf8,0xc1,0x58,0xf3,0xd4,0x90,0xb2,0x9a,0xa2,0x3a, + 0xbd,0x1f,0xfd,0xf2,0x08,0x66,0xc3,0x4c,0x6e,0x63,0xb9,0xe8,0xa9,0xa0,0x2d,0x7a, + 0x1b,0x19,0x6d,0x05,0x5f,0x4c,0x53,0xce,0x82,0xb4,0x00,0xe4,0xab,0x9e,0x1b,0x9d, + 0x70,0xd0,0x04,0x9d,0x6d,0x57,0xcf,0x0a,0x49,0x49,0xcf,0xc6,0x8d,0x63,0x38,0x82, + 0x88,0x2d,0xcf,0xdf,0xc5,0x0c,0xf4,0x49,0xdf,0x10,0xac,0xf2,0x03,0x05,0xc2,0xaa, + 0x43,0xbd,0xa1,0x0f,0xd8,0xa1,0x0b,0x4e,0xca,0xa2,0x31,0x00,0xaa,0x47,0xe9,0x29, + 0x36,0xdc,0xe1,0xbf,0xb8,0xd6,0x59,0x52,0x35,0xbb,0xfe,0x2c,0x85,0x85,0xcb,0x16, + 0x47,0xb2,0xbe,0xac,0xb1,0xe1,0xd4,0xb6,0xce,0xf7,0x58,0x81,0x1a,0x68,0x33,0x0f, + 0xa9,0xc3,0xa8,0x25,0x73,0xc0,0x8f,0xa2,0xcd,0xa5,0xa0,0x3f,0x34,0x25,0x55,0x4e, + 0x45,0xd9,0x8c,0x16,0x45,0xc5,0xbd,0x27,0xd1,0x2e,0x6c,0x20,0xb2,0xc4,0x62,0xa7, + 0x46,0xe8,0x82,0xa3,0x42,0x1a,0x7b,0x1b,0x1e,0x25,0xb4,0xc3,0x6c,0x8b,0x16,0xa1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x6a,0xce,0x05,0x2d,0x7e,0x99,0xcd,0x97,0x3b,0xb5,0xc9,0xf6,0x67,0x9b,0x1c,0x30, + 0x5e,0x07,0x20,0x89,0x65,0xfe,0x58,0xc6,0x3b,0x10,0xa6,0x92,0xf1,0xdb,0xbe,0x22, + 0xfc,0xd0,0xdb,0x15,0x89,0x3a,0xb1,0x9e,0x10,0x7b,0xa2,0xe4,0x2c,0x99,0x34,0xa9, + 0xaa,0xfa,0xc3,0x2a,0xdf,0x6c,0x73,0x47,0x3f,0x69,0x69,0xe4,0x2c,0x98,0x3b,0x8f, + 0x0c,0x96,0xa4,0x63,0x9e,0xf7,0x7d,0x2c,0x8e,0x88,0xe8,0xcc,0x47,0xd7,0xcf,0xdd, + 0x08,0xf6,0x8d,0x97,0x3a,0x7b,0xea,0xf4,0x01,0xcb,0x4d,0x13,0x11,0x99,0x2d,0xda, + 0xc3,0xa9,0xc9,0xe0,0x67,0xda,0x19,0x8a,0xdc,0x63,0x04,0x74,0x5f,0x5d,0xd3,0x12, + 0xa1,0x82,0xe6,0x97,0x1c,0x34,0xa5,0x15,0xa6,0xc1,0xba,0xe6,0x47,0xe5,0x7e,0x4c), + .s = chunk_from_chars( + 0x5f,0x0e,0x74,0xf4,0x54,0x75,0x4a,0x30,0x74,0xfa,0xaf,0xc6,0x05,0xf3,0xc9,0xaf, + 0x47,0x60,0x4a,0x89,0x83,0x65,0x0a,0x9b,0x62,0x11,0xfb,0x19,0x1d,0x9a,0xfa,0x53, + 0x15,0xdf,0x4d,0xb4,0x50,0x1f,0xd4,0xf0,0x4c,0x74,0x1d,0x76,0x46,0x56,0xd4,0xa5, + 0xd0,0x06,0x38,0x8a,0xd8,0xfd,0xb2,0x19,0xec,0x6b,0x75,0x69,0x08,0xe2,0x3b,0x30, + 0xcb,0x63,0x9f,0xfa,0x7b,0xbf,0x28,0x74,0x71,0x3b,0xfd,0x5a,0x10,0x62,0xc1,0x9d, + 0x04,0xe0,0xe4,0xa7,0x4b,0x14,0x44,0x6a,0x7f,0xdf,0x5c,0xb8,0x12,0xe9,0xac,0x7b, + 0x60,0x12,0xd9,0xae,0x99,0x1c,0x47,0x65,0x6d,0x2a,0xde,0xd2,0x40,0x74,0xbb,0x8a, + 0x38,0xb1,0xa8,0x8b,0x1c,0x2b,0x13,0x1e,0x5b,0x09,0xc9,0x37,0x57,0xfd,0xb2,0xd6, + 0xb6,0x9a,0xa8,0x26,0x5a,0x43,0x5f,0xba,0x00,0xae,0xb3,0x6a,0x1f,0x62,0x9b,0xc3, + 0x4b,0x87,0x60,0x89,0xd2,0x8a,0x94,0x8d,0xd6,0xab,0x4c,0x89,0x94,0x30,0xda,0x60, + 0xa2,0x6f,0x6c,0x13,0x60,0x3f,0xc8,0x89,0xc7,0xb2,0x93,0x6c,0xa3,0xc5,0x15,0x6b, + 0xd7,0xfa,0x6e,0x34,0xea,0xc9,0xe0,0x48,0x00,0x83,0x3e,0xf0,0xcb,0x9b,0x6e,0xef, + 0x78,0x8c,0x0e,0xf0,0x02,0x1a,0x45,0x36,0xfb,0x83,0x71,0xfa,0x3e,0x2c,0x8b,0xb8, + 0xbe,0xfa,0xc1,0x6e,0x80,0x92,0xd6,0x9c,0x57,0x1c,0x1e,0x15,0xfd,0x25,0x5e,0xc0, + 0xa0,0x7a,0xcf,0x9a,0xe9,0x95,0x38,0x31,0xef,0xd3,0xdc,0xbe,0xf4,0x4e,0x0f,0xcc, + 0xeb,0xb1,0xaf,0x95,0x9d,0x71,0xf5,0x01,0x30,0xe8,0xac,0xb4,0xfa,0x23,0x19,0x26, + 0x1f,0xba,0x12,0xf2,0x71,0x5d,0xef,0x82,0xbf,0xaf,0xbf,0x40,0xe3,0x45,0xec,0x5d, + 0xcd,0xab,0x5c,0x1b,0xf5,0xf6,0x6b,0x1d,0x0e,0x9f,0x7a,0x9c,0x62,0xc9,0x37,0x57, + 0x46,0xe1,0xae,0x0c,0x8f,0x14,0xa4,0x89,0x18,0x43,0x83,0xe8,0x1d,0xce,0x20,0x70, + 0xad,0x4b,0x52,0x5d,0xf7,0x6b,0x44,0x6b,0x1f,0x22,0x92,0x1d,0x42,0x4d,0x9b,0xa3, + 0xce,0x21,0x57,0x75,0x01,0xdf,0x62,0x80,0xfd,0xc6,0x9f,0x02,0x39,0xae,0x11,0x27, + 0xb6,0x99,0x50,0x75,0x9d,0x5f,0x0b,0x69,0x3f,0x54,0xe8,0x7e,0x07,0x63,0x62,0x3b, + 0xf5,0xd3,0xff,0x69,0x43,0x00,0x81,0xb9,0xc9,0xe2,0x44,0x5a,0x05,0xe1,0x15,0x67, + 0x5e,0x09,0x0b,0xca,0xb2,0xaa,0x1d,0x75,0xce,0xee,0x2a,0xd6,0x19,0xec,0x8b,0x80), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x49,0x74,0x0f,0xdc,0xca,0x6b,0xfc,0xe2,0x94,0xc1,0x1f,0x45,0x40,0x78,0x05, + 0xb3,0xda,0x41,0x2b,0x01,0xef,0x3f,0xb5,0x13,0xe7,0x0e,0x62,0xfd,0x95,0x04,0xc0, + 0x67,0x0d,0xb6,0x9c,0x36,0xb6,0xbe,0xbd,0x69,0xa0,0xbc,0xd2,0x40,0x17,0x9b,0xa8, + 0xa4,0x78,0x16,0xa0,0xc3,0x43,0x7a,0x61,0xfb,0x72,0xad,0xca,0xf9,0x09,0x6f,0x2a, + 0x22,0xef,0xe0,0xb4,0x31,0xfc,0x42,0x2d,0x22,0x53,0x01,0xe8,0x50,0xf2,0xf0,0xf4, + 0xda,0x87,0xd6,0x94,0x4a,0x85,0x29,0xef,0x79,0x78,0x19,0x09,0xad,0x96,0xd1,0xf2, + 0x05,0x96,0xf9,0x3e,0x17,0xc5,0x7f,0xb4,0xd7,0x56,0x97,0x4b,0xbb,0xf9,0x00,0x52, + 0x1c,0xb0,0x89,0xee,0xe0,0xde,0xd5,0xc9,0x56,0xa1,0x5b,0x09,0x61,0x62,0xb0,0x7f), + .s = chunk_from_chars( + 0x7b,0xbb,0x3d,0xdd,0x17,0xa4,0x2b,0xe7,0xcc,0x4e,0x7e,0xaf,0x45,0x65,0x09,0xa4, + 0xba,0x58,0xd4,0x0c,0x49,0xa3,0xd9,0x95,0x73,0xb7,0x33,0xe1,0x94,0x2f,0x9f,0xca, + 0x20,0xba,0x8b,0x91,0x07,0x08,0xd6,0xe7,0x50,0x36,0x7e,0x84,0x73,0x02,0xfc,0x60, + 0x3b,0x80,0x63,0xc1,0x9a,0xf8,0x83,0xe7,0x50,0x7f,0xb0,0xd9,0xcc,0x2b,0xe3,0x74, + 0x79,0xa3,0x7c,0xca,0x25,0xb8,0xc7,0xc4,0x6f,0x6b,0xf6,0x61,0xdc,0x6a,0x32,0x32, + 0xf8,0x8b,0x48,0x3f,0x1b,0x8f,0x41,0xb4,0x6d,0x49,0xba,0x3f,0x17,0x95,0xd6,0x8e, + 0xaa,0xd4,0xa2,0x55,0x6f,0xb5,0xd7,0x87,0x3b,0xbb,0x65,0x01,0xec,0xf0,0x6a,0xc5, + 0x58,0x23,0x5e,0xd1,0x39,0x90,0xb0,0xe1,0x6f,0x67,0x96,0x5b,0x09,0x36,0x6b,0xcb, + 0x36,0x2c,0xfc,0x6f,0xb9,0x78,0xf4,0xf6,0x8d,0x81,0x46,0xdc,0x8b,0x81,0x98,0x04, + 0xdf,0x42,0x4e,0x8c,0xa5,0xb6,0x3c,0xf1,0xfc,0xf9,0x7b,0xbf,0x30,0x0d,0x0b,0x99, + 0x88,0x60,0x79,0x8a,0x63,0x42,0x43,0x83,0xfc,0xd8,0x1d,0x37,0x77,0x3d,0x59,0xbb, + 0x13,0xb4,0xfa,0x5d,0x46,0x8c,0xd1,0x28,0xbb,0xab,0x18,0xa8,0xce,0x51,0x73,0xbe, + 0x5d,0x9d,0x54,0xd3,0x17,0x7f,0x02,0x45,0x78,0x84,0x09,0x97,0x3d,0xf4,0xa9,0x01, + 0x6b,0x94,0x4b,0xae,0xfb,0xf3,0xbf,0x11,0x46,0xa9,0x39,0x3d,0x22,0xe3,0x5e,0xc2, + 0xbe,0x0a,0xe6,0xf4,0xc3,0x1d,0xc4,0x98,0x1f,0x40,0xfc,0x1b,0xaf,0x38,0x26,0x00, + 0x69,0x9e,0xaf,0xce,0xa9,0x2c,0xbe,0x24,0xe2,0x6e,0xe8,0x46,0xfa,0x23,0xbc,0x19, + 0x3b,0x6e,0x72,0x14,0x01,0xb7,0xac,0x3f,0x5f,0x4e,0xbe,0xb6,0x33,0x97,0x9f,0x8e, + 0xf3,0x5f,0x4a,0xb1,0x11,0x7a,0x86,0x9d,0x5b,0x9d,0xbb,0x74,0x82,0xf0,0xd5,0xa5, + 0x9e,0x41,0x63,0x54,0x8d,0x25,0x12,0xae,0x06,0x72,0x05,0xb5,0x7d,0x03,0x0c,0x48, + 0x3f,0x72,0x0d,0x2c,0x44,0x35,0x04,0x28,0xf5,0x26,0x89,0x43,0xfc,0x5f,0x6e,0xa1, + 0xc8,0x8e,0x2e,0xc1,0x3a,0xb3,0xdc,0x14,0x56,0xe9,0x6a,0x3b,0x8e,0x7c,0x12,0x1a, + 0xf4,0xd6,0xa5,0xfe,0x4e,0xe5,0x5e,0x99,0xfb,0xc3,0x59,0x2a,0x48,0x7c,0x19,0x4b, + 0xc2,0xf2,0xbf,0x6e,0x79,0xfb,0x79,0xc2,0x87,0x6c,0xf3,0x36,0x5e,0x07,0x5b,0xee, + 0xac,0xc7,0xdb,0x4d,0xb7,0xee,0x69,0xe7,0xf1,0xfe,0x12,0xa3,0x27,0xe6,0xcb,0x0f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x67,0x5d,0xac,0x9a,0xec,0x91,0x01,0x06,0xa6,0xab,0x21,0x9b,0x4c,0xce,0xb5, + 0x2d,0xed,0x25,0x49,0xe8,0x99,0xc9,0xa2,0x4d,0x5e,0xe5,0x51,0x77,0x76,0x18,0x88, + 0xa3,0xbe,0x1a,0x2d,0xef,0x6a,0xa3,0x2d,0x62,0xf7,0x88,0x13,0x2d,0x62,0x27,0xd9, + 0x30,0x98,0x06,0xfd,0xc0,0x2d,0xb7,0xd8,0xa8,0x50,0xff,0x2c,0x6d,0xff,0x37,0xfc, + 0xd7,0x77,0xf1,0xa0,0xac,0xef,0xdf,0x18,0xbf,0x85,0xf1,0xa1,0x29,0x79,0xbe,0x86, + 0xd7,0x99,0x25,0x39,0x45,0xfc,0x34,0xa2,0x88,0xf3,0x48,0xb7,0x92,0x3d,0x76,0x4d, + 0xb2,0x7a,0x2a,0x2d,0x5a,0xe2,0x0e,0x6b,0x25,0x37,0x2e,0xf3,0x18,0xf8,0x59,0x65, + 0x29,0xd8,0xca,0x23,0xfd,0x6f,0x08,0xa8,0xf6,0x2e,0x0a,0x1b,0x6d,0x98,0x9f,0x23), + .s = chunk_from_chars( + 0x80,0x52,0xd9,0x5f,0x12,0xce,0x0e,0x6e,0x53,0xa5,0xa3,0x56,0xa0,0xeb,0x35,0x3b, + 0xdc,0xc1,0xa6,0x65,0x14,0xd6,0xcf,0xb3,0xa3,0xd9,0x61,0x55,0x31,0x0b,0xdd,0xa0, + 0xa0,0xd1,0x79,0x5f,0x97,0x64,0x3f,0x3a,0x44,0x96,0x63,0x4f,0x2d,0xd9,0xb9,0x5a, + 0x21,0x38,0xee,0x39,0x0e,0x1e,0x74,0xbe,0x31,0x34,0xf3,0xf4,0x7a,0x91,0x9e,0xe7, + 0xb5,0x9f,0x8e,0xcd,0x27,0x2a,0xb8,0x8c,0x82,0xcb,0xce,0x7c,0x21,0x7e,0x5f,0x92, + 0xd0,0x57,0xa5,0xb0,0x0f,0xbf,0x05,0x75,0xcd,0xae,0xcd,0x7d,0xc2,0x85,0xa4,0x21, + 0x8c,0x8a,0x95,0x52,0x16,0x59,0x8f,0x07,0x42,0x67,0x1e,0x01,0x8e,0x8e,0x4e,0x76, + 0x83,0x9a,0x57,0x5f,0x50,0xb2,0x10,0x2a,0x8b,0x77,0xd1,0xb8,0x4f,0x6d,0xce,0x98, + 0xd7,0x8e,0x57,0x58,0xe0,0xa6,0xf9,0x2b,0xf3,0x5d,0x6a,0x2f,0x18,0xad,0x40,0x09, + 0x25,0xd7,0x88,0x0f,0x9e,0xfc,0x77,0x4a,0x8c,0x7e,0xbf,0x64,0x88,0x5c,0xd2,0xf6, + 0xf6,0x29,0xb5,0x4a,0x7c,0x12,0xec,0x91,0xd3,0x9b,0x3c,0x25,0x18,0x24,0x1f,0xdc, + 0x32,0x2d,0x9b,0x23,0x5a,0x8e,0xa4,0x4f,0x77,0xe8,0x2f,0x3d,0xc4,0xf7,0x28,0xf6, + 0x20,0xc0,0x7d,0x1e,0x7f,0xf4,0x09,0x4f,0x29,0xc6,0x74,0xab,0x0f,0x08,0x02,0xef, + 0xa1,0xc9,0xe6,0x48,0x1e,0xbb,0x84,0xe0,0xbf,0x13,0xef,0x46,0x8d,0x8c,0xca,0x11, + 0x45,0x70,0xb9,0xed,0xcd,0xdf,0x98,0xac,0x4a,0x83,0x4f,0xe7,0xa0,0xd5,0xc6,0xfa, + 0xe8,0xa6,0x0a,0x48,0x39,0x9f,0x3c,0x8a,0xf4,0x2f,0xf4,0x02,0x6e,0x42,0xa8,0x1a, + 0xac,0x36,0x11,0x4f,0xfc,0x05,0x3f,0x3f,0x72,0x9b,0x7c,0xf9,0xa9,0x7a,0x56,0x84, + 0x8e,0xbe,0xa0,0x11,0x5a,0xa8,0x29,0x83,0x41,0xaa,0x22,0x69,0x63,0xeb,0xdf,0x57, + 0xab,0x2d,0x8e,0x4b,0x90,0x00,0xdd,0x05,0x1a,0x6c,0x5d,0x69,0xf6,0x0e,0x1d,0xc1, + 0xb3,0x3f,0x20,0x94,0xfd,0xbf,0x8e,0x5b,0x62,0x7b,0xc0,0x76,0x4d,0xb9,0x52,0x2c, + 0xbb,0xc0,0x81,0xdb,0xf3,0x8c,0x21,0xb1,0x3f,0x98,0x08,0x13,0xbd,0x2b,0x00,0xc7, + 0x57,0xeb,0xb8,0xc0,0xb2,0x12,0x13,0x15,0x2e,0x69,0x40,0x39,0xf3,0x06,0xf7,0x34, + 0x28,0x57,0x65,0x1f,0x72,0x2b,0xdd,0xa0,0x12,0x12,0xa8,0x55,0x27,0x99,0xbd,0xa6, + 0xef,0x07,0xc5,0x20,0x7d,0xc7,0x44,0xef,0x79,0x69,0xaf,0xd5,0xaf,0x2e,0x6f,0x12), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xf6,0xa7,0xa6,0xe5,0x26,0x59,0x12,0x5f,0xbb,0xc8,0x72,0x74,0x17,0x28,0x3b,0x9a, + 0x64,0x44,0x1f,0x87,0x12,0x1e,0x27,0xf3,0x86,0xd5,0x01,0x9f,0x10,0xcc,0x9b,0x96, + 0x1e,0x09,0xf1,0xb3,0xb0,0xdb,0x23,0x63,0x0c,0xc0,0xca,0xac,0xb3,0x85,0x8c,0x6f, + 0x93,0xaf,0xee,0xea,0x7e,0x1a,0x6a,0x80,0xdb,0xe0,0xc2,0xbd,0x9c,0x7c,0x93,0x95, + 0x70,0x30,0x2d,0xec,0x39,0xa4,0xa2,0x5c,0xc0,0xcf,0x1d,0x32,0xa7,0x1a,0x75,0xb9, + 0xa0,0xc3,0x02,0xbc,0xdd,0x80,0xb0,0x46,0xc8,0x66,0x51,0xac,0xf3,0x08,0x38,0xcd, + 0x52,0xe3,0x03,0x99,0xa8,0xfa,0xb8,0xd0,0x3f,0xbd,0x14,0x0c,0xdc,0x2f,0x1f,0x02, + 0xf2,0x48,0x04,0x05,0x16,0x98,0x20,0xcc,0xb3,0x2e,0x59,0x74,0xff,0xb8,0xb1,0xc8), + .s = chunk_from_chars( + 0x84,0x60,0x3a,0xcb,0xfe,0x1f,0x2f,0x76,0x9f,0x1a,0x62,0xb0,0xf2,0x87,0xf3,0x06, + 0x94,0x0b,0x22,0x54,0x76,0x71,0x4a,0x4b,0x68,0x27,0xc0,0x2d,0x7b,0xd0,0x52,0xf3, + 0x03,0xf3,0x0a,0x5f,0xa6,0xda,0x83,0xe6,0x06,0x15,0x30,0x56,0x69,0xca,0x9e,0xc1, + 0x77,0xc5,0xb3,0x2b,0x14,0x15,0xee,0xbe,0xf7,0x86,0x20,0x29,0x6e,0xba,0xd6,0xdb, + 0xbd,0x52,0x08,0x39,0xd3,0xaa,0xcc,0x97,0x81,0xac,0x86,0x02,0xdd,0xce,0x07,0x36, + 0xdc,0xfa,0x72,0x90,0xb4,0x5f,0x15,0x5b,0x8e,0x92,0x4d,0x0a,0xfd,0xf7,0xdf,0xc8, + 0xd1,0x99,0xbf,0x09,0x50,0x9d,0x01,0x76,0xa6,0x8b,0x14,0x57,0x56,0xee,0xf5,0x3d, + 0xe4,0x56,0xe1,0x70,0x78,0x85,0x98,0x49,0xa3,0x52,0xa5,0xbb,0x65,0x42,0x39,0xd8, + 0xeb,0xaf,0x88,0x00,0xca,0x82,0x63,0xd3,0x4a,0x86,0x8d,0x52,0xbf,0x8f,0x22,0x64, + 0x4d,0xd9,0xf3,0xc0,0x5b,0xd8,0x91,0xcd,0x92,0xf2,0x63,0x53,0x0c,0x58,0x96,0x02, + 0x3c,0x6b,0x21,0x3d,0xdb,0x64,0xed,0xe1,0x77,0x0f,0xf1,0x68,0x6c,0x34,0x03,0x6e, + 0x28,0x1e,0x91,0x1d,0x9d,0xc9,0x60,0x35,0x4f,0xd8,0x44,0xcb,0x7b,0x22,0xdc,0x0c, + 0xd8,0x1a,0x96,0x20,0x3b,0xa8,0x18,0x40,0x1c,0xcc,0x22,0x5f,0x85,0x7e,0x59,0xa5, + 0xcb,0x7b,0xa6,0xdf,0xc7,0xf5,0x13,0x5e,0xa3,0x27,0x81,0xe6,0x3d,0xaa,0x14,0xfb, + 0xda,0x1b,0xac,0xc1,0x8e,0xbc,0x50,0x82,0x4d,0x40,0x28,0xb8,0xfd,0xec,0xda,0x49, + 0xe8,0x10,0xba,0xe5,0xac,0xc8,0xad,0xc0,0xdc,0xa2,0xe2,0x36,0xfc,0x83,0x2a,0x97, + 0x33,0x0a,0x12,0x14,0xfa,0x0a,0xed,0x15,0xcd,0x10,0xc0,0x49,0xef,0xb6,0x5c,0xe8, + 0x55,0xc0,0x60,0xf0,0x5b,0xef,0xb3,0x17,0xb8,0x06,0x58,0x43,0xc4,0xeb,0x5a,0x03, + 0x71,0xfc,0x6f,0x20,0x9f,0x6f,0xfb,0x94,0x8c,0x88,0x1f,0x2f,0x20,0x91,0xca,0xf0, + 0xf5,0x9f,0x60,0xb7,0x2c,0x5f,0x67,0x27,0x1b,0xae,0x96,0xb9,0x13,0xfd,0x21,0xfa, + 0x1d,0xfa,0x97,0x5d,0x5e,0xcd,0x62,0xb0,0xd5,0x08,0x73,0xb6,0x86,0xd2,0x9c,0x88, + 0x0d,0x36,0xed,0xca,0xd3,0x3e,0xc3,0xe2,0x21,0x6c,0x9c,0xfc,0xfb,0x4f,0x98,0x4c, + 0x23,0xfd,0xe8,0x15,0xe2,0x80,0xa8,0x02,0x42,0x86,0x08,0xbe,0xd3,0x73,0x9a,0xf9, + 0x20,0x0d,0xe1,0xf8,0x5e,0xde,0xe2,0x83,0x4c,0x04,0x94,0x2c,0x06,0x8a,0xac,0xd2), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xbb,0x29,0x4b,0x95,0xd9,0x13,0x00,0x5b,0x11,0x09,0x87,0xcd,0xe4,0x58,0x87,0x48, + 0x4a,0xe6,0xdf,0x79,0x48,0x73,0xdf,0xc5,0xc4,0x1f,0xb7,0xe8,0x99,0x2c,0x2f,0xdc, + 0xe7,0x06,0x99,0xfc,0xac,0x80,0x04,0x69,0x99,0x61,0xb3,0xad,0x1e,0x1f,0xce,0x9e, + 0xc8,0xea,0x56,0x85,0xcc,0xec,0x5e,0x80,0xe4,0xd0,0x79,0x25,0x59,0x81,0x6f,0x68, + 0x61,0x34,0x34,0xbf,0xac,0xa8,0x1a,0x84,0x3a,0xac,0x45,0x9a,0x6f,0xe3,0x5f,0x53, + 0x69,0xc4,0x8e,0x91,0x91,0xe4,0xa3,0x2c,0x70,0x78,0x95,0x94,0xc5,0x15,0x2d,0xb8, + 0xd4,0xbb,0x02,0x26,0x00,0x12,0xa8,0x73,0x9c,0xf3,0x25,0xdd,0xff,0x2a,0xa4,0x2f, + 0xd6,0x7b,0x6e,0xe5,0xbf,0xe3,0x15,0x91,0x13,0x1f,0xf2,0x7d,0x02,0x73,0xd2,0x92), + .s = chunk_from_chars( + 0x32,0x63,0x7c,0x60,0x79,0x8b,0x45,0x0b,0xff,0x10,0x0b,0xff,0x12,0x83,0x83,0x57, + 0xde,0xff,0x28,0x1d,0x5b,0x31,0xe4,0xf4,0xc2,0xcf,0xc9,0x6e,0xb7,0x79,0xce,0x6d, + 0x31,0xb1,0xce,0x8b,0xd7,0xaa,0x7f,0xa8,0x8d,0xdc,0x42,0x79,0xc8,0xc3,0x28,0x06, + 0x04,0xb0,0x18,0xcc,0xf4,0x52,0x00,0x4a,0x14,0x88,0xed,0x47,0x50,0x18,0x1c,0x50, + 0x25,0x63,0x65,0x11,0xac,0x67,0x24,0xfe,0x51,0x76,0x1c,0x27,0xd7,0xcf,0x9a,0x0c, + 0x87,0x82,0xea,0x22,0x31,0x26,0x88,0x53,0xc4,0xb1,0xf7,0xac,0xb0,0x00,0x5e,0x56, + 0x87,0xc8,0xf3,0xdf,0x16,0xc9,0x62,0xf0,0x2c,0xe5,0x6b,0x23,0xd3,0x87,0xa2,0xba, + 0xad,0xc8,0xbe,0xc9,0x42,0x29,0xc3,0x55,0x75,0x26,0xe6,0x17,0x07,0xa8,0xb5,0x92, + 0x93,0xa9,0x76,0xe3,0x2c,0x7f,0xa1,0x33,0x28,0x50,0x88,0xf3,0xce,0x3e,0x67,0x77, + 0x88,0xaa,0xa9,0x47,0xe7,0x62,0x2c,0x75,0x7e,0x84,0x4b,0x11,0x75,0x92,0xbe,0x99, + 0xfe,0x45,0x37,0x6f,0x8b,0x30,0x13,0xe8,0x77,0x2e,0xc9,0x2c,0x5b,0xb0,0xb9,0xfa, + 0x30,0x1b,0x95,0x54,0x45,0x99,0x69,0x0a,0xd9,0x36,0x68,0xd8,0x3b,0x2d,0xaa,0x7d, + 0xf0,0x5c,0x66,0x21,0x4e,0x27,0x50,0x14,0x78,0x0a,0x91,0x2d,0x8b,0x19,0x32,0xd7, + 0xa6,0x55,0x05,0x8e,0x74,0x3f,0x50,0xb0,0x74,0xb1,0xd9,0x69,0x1c,0xa2,0x3a,0x2f, + 0x95,0xf6,0xaf,0xfb,0xd5,0x16,0xd6,0x4c,0xcb,0x2a,0xa4,0x3c,0x23,0x6e,0xb9,0x5d, + 0x36,0xd2,0x72,0x54,0x5e,0x3b,0xeb,0x8f,0xf5,0xaa,0xcd,0x95,0xb3,0x0f,0x7f,0x1d, + 0x64,0x18,0xaf,0x04,0x2c,0xd9,0xa0,0xcf,0x01,0x89,0x84,0x62,0x62,0x32,0x2a,0x18, + 0x87,0x5a,0xe4,0xc3,0xe6,0x8e,0x4e,0x8f,0xfa,0xa0,0x27,0x6c,0xdd,0x99,0xa0,0x04, + 0x7c,0x86,0xc0,0xf7,0x1d,0x2d,0xee,0xfd,0x50,0x64,0x2d,0x29,0xc1,0x95,0xe6,0xd1, + 0x4f,0xb4,0x6f,0xba,0xc3,0x3a,0x50,0x8c,0x1f,0x03,0xa2,0x32,0xde,0x08,0xaa,0xe0, + 0x9f,0xaf,0x1d,0xa8,0xed,0x2b,0xa2,0xae,0x84,0xbc,0xca,0x88,0xb7,0x8d,0xcc,0xbd, + 0xe9,0xaf,0xde,0x08,0xa3,0xbe,0xb3,0x22,0xdc,0x79,0x35,0x6b,0x29,0xc8,0x48,0x41, + 0x69,0x89,0x14,0xb0,0x50,0xbe,0xb7,0x5a,0x7b,0x2f,0x67,0x01,0xaa,0x81,0x01,0xa5, + 0xa4,0x95,0x5e,0xe2,0x7b,0xaf,0xe8,0x1b,0x21,0xd0,0x3b,0x43,0xe3,0xc7,0x73,0x98), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xf9,0x46,0xc6,0xbd,0x5e,0x1d,0x6b,0x89,0x09,0x2f,0x3c,0x48,0x7c,0x05,0x68,0xfa, + 0x07,0xc3,0x56,0xfa,0xe9,0xb8,0xe8,0x31,0xb8,0x32,0x02,0x89,0x03,0x97,0x46,0xa4, + 0x35,0xb1,0x22,0xcf,0xbc,0x4a,0x0d,0x31,0x6b,0xf9,0x0d,0x48,0x1d,0x3b,0x7d,0x97, + 0x9c,0xc5,0x0d,0x98,0xc1,0x19,0x0a,0xf8,0xdc,0x58,0xe0,0x03,0x55,0x57,0xdd,0x5e, + 0x94,0xf4,0x37,0xf4,0x1f,0xab,0x51,0x32,0x02,0x64,0x3a,0x77,0x74,0x8f,0x76,0xc6, + 0xb7,0x73,0x02,0xbf,0x40,0xc3,0x92,0xcd,0x18,0x73,0x1d,0xa0,0x82,0xc9,0x9b,0xde, + 0xde,0xb7,0x0e,0x15,0xcd,0x68,0xbf,0xf5,0x96,0x19,0xca,0xbc,0xc9,0x2a,0xdc,0xf1, + 0x22,0x75,0x3c,0x55,0xaf,0xde,0x08,0x17,0x35,0x2b,0xc2,0x47,0xd1,0x17,0x0b,0x8d), + .s = chunk_from_chars( + 0x50,0x70,0x6b,0xa4,0x9d,0x9a,0x31,0x66,0x88,0xa3,0xee,0x80,0xa0,0xbd,0x98,0x67, + 0x57,0xd4,0x3e,0xc8,0x32,0x85,0xaf,0x9e,0x78,0x19,0x6b,0xd5,0x2c,0x90,0x0d,0x40, + 0xb2,0x80,0xfa,0x0d,0xe5,0x4e,0x35,0xac,0xe7,0xd6,0x66,0x00,0x12,0xf1,0xa6,0x62, + 0x04,0x09,0x2f,0x0e,0x63,0x4b,0x97,0xe0,0xe5,0x16,0x65,0xb4,0x07,0x5e,0x36,0xf1, + 0x42,0x22,0x66,0xc7,0xca,0xd7,0xb2,0xd9,0x98,0x1b,0x91,0x3d,0xf3,0xfa,0x3e,0x6a, + 0x5a,0x1c,0xad,0xfc,0x63,0x78,0xa8,0x54,0x0e,0x0f,0xaa,0x26,0xf1,0xcc,0x6f,0xb2, + 0xfb,0x49,0x2a,0x80,0xd0,0xa6,0x94,0x5b,0xce,0x5b,0xbc,0x23,0xdd,0xb3,0xb1,0x07, + 0x01,0xf0,0x24,0x9b,0x27,0x40,0x7a,0x67,0x00,0x80,0x2e,0x88,0x42,0xef,0x3c,0xc7, + 0x61,0xc4,0x82,0x3a,0xcb,0x5d,0x14,0x53,0x50,0x8d,0xcd,0xbb,0x97,0x9e,0x7b,0xd8, + 0xd0,0x01,0x28,0xe6,0x0a,0x9b,0x37,0x89,0x16,0x7c,0x91,0x41,0x7d,0x93,0xf0,0xe9, + 0xfb,0xb0,0x0c,0x9a,0xf1,0x49,0x8e,0x09,0xeb,0x64,0x85,0xeb,0x94,0xce,0xa4,0x88, + 0x3f,0x6a,0x25,0x6e,0xab,0x2c,0xaa,0x82,0x6d,0xe4,0xfd,0xac,0x01,0xba,0xca,0x3a, + 0x21,0x6e,0x3d,0x20,0x4a,0x3d,0x83,0x7f,0xfd,0x4d,0x0b,0xe2,0xb2,0xce,0xf7,0x11, + 0x90,0x90,0x54,0xc4,0xda,0x1d,0x5b,0x93,0xa8,0xf9,0x84,0x51,0xc7,0x00,0x2a,0xe8, + 0x4a,0x5e,0x70,0x80,0xd9,0x86,0x71,0xc5,0x0e,0x3c,0x91,0xc4,0x08,0x7d,0x04,0x77, + 0xb1,0x04,0xf9,0x16,0x01,0x0e,0x74,0x2f,0x2d,0x20,0x7f,0xb4,0x0d,0x12,0x2d,0x8f, + 0x21,0x1a,0xf6,0xd7,0xc5,0xec,0xa4,0x95,0x42,0xd9,0xac,0xb0,0xf1,0x66,0xe3,0x6a, + 0xbc,0x37,0x15,0x50,0x70,0xc1,0x2e,0x9f,0x28,0xb9,0x07,0xd6,0x7a,0x2c,0xa7,0x0b, + 0xfc,0xe5,0x54,0xe1,0xc4,0x4c,0x91,0x52,0x0e,0x98,0xfc,0x9a,0xd0,0xc0,0xee,0x47, + 0x7f,0x75,0x05,0x16,0x47,0x6a,0x94,0x16,0x80,0x66,0xce,0x47,0x00,0x00,0x30,0xa9, + 0x9c,0x23,0xe2,0xc3,0x87,0x55,0xde,0x94,0x6d,0x5e,0xdf,0x0d,0x6a,0xa9,0x42,0x12, + 0xf9,0x92,0x31,0x5b,0x24,0x8c,0x1f,0x82,0x72,0x3b,0x29,0xc4,0x22,0x16,0xc7,0x8c, + 0xdc,0xb6,0x68,0xf1,0x12,0x78,0x26,0x1c,0xee,0x92,0x52,0xc8,0xfd,0x0e,0xd3,0x7d, + 0x0a,0x85,0x80,0xca,0x9b,0x9f,0xde,0x75,0x05,0x61,0x59,0x43,0x71,0x2d,0xa1,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x9a,0x33,0x7d,0x4c,0x0b,0xb9,0xa0,0x05,0xb4,0x7f,0x47,0x65,0xd6,0x96,0xd1,0x9d, + 0xec,0x58,0xbc,0x84,0x82,0xf2,0x17,0x3a,0x4a,0x20,0x3a,0x0b,0x6d,0x38,0xb4,0x96, + 0x1f,0x6a,0x85,0x2e,0x76,0x46,0x8e,0x80,0x7c,0x7e,0x45,0x76,0x83,0xee,0xad,0x5c, + 0xb8,0xd9,0x86,0x42,0xfb,0x76,0xc0,0xa1,0xee,0xab,0x36,0x41,0x4c,0x18,0x99,0x59, + 0x7d,0x57,0xaa,0xf9,0x67,0x82,0xad,0xa5,0x86,0xf6,0x1a,0x42,0x3f,0x57,0x95,0x37, + 0x71,0xd5,0x20,0xcc,0x4e,0xad,0x90,0xd5,0x69,0xf2,0x3d,0x95,0x0f,0x8d,0xfe,0xdd, + 0xdb,0x83,0x55,0x74,0x85,0x76,0xe6,0xbb,0xfb,0x6f,0x2e,0x91,0xb3,0xda,0x71,0x75, + 0x3f,0xd2,0xf4,0xea,0x22,0x9f,0x6d,0x20,0xe2,0x7d,0xb8,0xd0,0x5e,0x9f,0xcb,0x68), + .s = chunk_from_chars( + 0xcf,0xf7,0xaa,0x7f,0x87,0x56,0x42,0xfb,0x93,0x43,0xe0,0x7e,0xf5,0xe7,0x30,0x3b, + 0xbf,0x5f,0x06,0x9b,0x44,0xc1,0x9f,0xbf,0x83,0xe5,0x9d,0x42,0x2e,0x25,0x26,0x7e, + 0xf9,0x30,0x74,0x14,0xb6,0xb1,0xef,0x61,0x71,0x1e,0xd0,0x01,0x32,0x76,0xd1,0xa2, + 0xad,0x98,0x39,0x04,0x74,0x02,0x7a,0x0a,0x70,0x3b,0xfe,0x8a,0x6e,0x87,0x70,0x60, + 0x59,0xd8,0x9c,0x06,0x09,0x80,0xc9,0xc9,0xe6,0x0d,0xc7,0xe1,0xfb,0x9f,0x77,0x7a, + 0x41,0x78,0x5a,0xb4,0xd2,0xb6,0x63,0xba,0x0e,0x3c,0x19,0x21,0x54,0x5c,0x47,0x9c, + 0x2a,0x38,0x3a,0x50,0xda,0x8e,0x48,0x9c,0xb2,0x2b,0x71,0x10,0x1d,0x0e,0xc1,0x48, + 0xac,0x70,0x92,0x87,0x32,0xa7,0x72,0x19,0x5a,0x14,0x0d,0x08,0x01,0x52,0x76,0x2a, + 0x9c,0x40,0x80,0x3a,0x39,0xfa,0x2a,0x69,0x78,0xc2,0xa7,0x5a,0xc4,0xd8,0xbd,0x1b, + 0xcc,0xaa,0x1f,0x42,0x04,0xba,0x65,0xed,0xdd,0xf3,0x2f,0xed,0xf2,0xd9,0xd0,0xa3, + 0xae,0xd9,0xb0,0x6c,0x47,0xe7,0x17,0x73,0x3c,0x57,0x78,0x12,0xd7,0x23,0xdb,0xa7, + 0x4a,0x85,0x2b,0x29,0x05,0x23,0x5c,0x81,0x2d,0xc5,0xf1,0xd0,0xdf,0x0f,0x0d,0xe7, + 0x3d,0xfb,0x86,0x22,0x1c,0x6f,0xfd,0xd1,0xed,0xa1,0x19,0xbb,0xe9,0x8d,0x14,0x8a, + 0xdd,0x36,0xa4,0xfe,0x50,0x48,0x9b,0x06,0xaa,0xee,0xfc,0xb5,0xc2,0x06,0x6d,0x90, + 0xfa,0x79,0x73,0x87,0x06,0xcd,0x18,0xe4,0x74,0xd6,0x96,0x09,0xff,0x12,0x10,0xc7, + 0x7d,0xe7,0xcd,0x23,0xba,0x2a,0x77,0x5a,0x43,0x29,0xcb,0x27,0x1a,0x82,0x6d,0x60, + 0x2c,0x40,0x1a,0x71,0x43,0x90,0x19,0xce,0xc1,0x0c,0xd9,0xf1,0x84,0xc4,0xd0,0x45, + 0x84,0x21,0x18,0x27,0xb1,0x9e,0xad,0xac,0x32,0x58,0xd8,0xa0,0xf2,0x63,0x16,0x13, + 0xf0,0x51,0xaa,0xe0,0xc6,0x13,0x05,0x0c,0xb2,0x44,0x42,0xf1,0x5e,0xd4,0xfe,0x0d, + 0xbd,0x29,0x0e,0x42,0x62,0x91,0x41,0xbd,0x2c,0xd5,0x6d,0x20,0x58,0x4a,0x1d,0x10, + 0xe1,0xf2,0xc2,0xa9,0xec,0x73,0x14,0x33,0xd5,0xbc,0xd1,0xd3,0x18,0xbe,0xd5,0x24, + 0x3b,0x4b,0x7d,0x0f,0x9a,0x79,0x82,0x06,0x1c,0x55,0xdf,0xaa,0x86,0xb2,0xc0,0x18, + 0x45,0xc0,0x21,0xfd,0xd2,0xa9,0x78,0xd4,0x20,0x34,0x21,0x2f,0x43,0xb3,0x35,0x1b, + 0x6a,0xde,0xb0,0x3b,0xdd,0x6c,0xaf,0x7d,0xe0,0x59,0x50,0x2f,0x16,0xd7,0x73,0x48), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x32,0xfd,0x45,0xe7,0x3f,0x6f,0x69,0x49,0xf2,0x0c,0xab,0x78,0xc0,0xcc,0x31,0xd8, + 0x14,0xba,0xea,0x63,0x89,0x54,0x6a,0x36,0x5d,0x35,0xf5,0x4f,0x23,0xf1,0xd9,0x95, + 0xb7,0x41,0x01,0x18,0x77,0x60,0xc8,0x9b,0xb0,0xb4,0x0b,0x50,0x57,0xb1,0x82,0xe2, + 0xfa,0xfb,0x50,0xb8,0xf5,0xca,0xd8,0x79,0xe9,0x93,0xd3,0xcb,0x6a,0xe5,0x9f,0x61, + 0xf8,0x91,0xda,0x34,0x31,0x0d,0x30,0x10,0x44,0x1a,0x71,0x53,0xa9,0xa5,0xe7,0xf2, + 0x10,0xeb,0xe6,0xbc,0x97,0xe1,0xa4,0xe3,0x3f,0xd3,0x4b,0xb8,0xa1,0x4b,0x4d,0xb6, + 0xdd,0x34,0xf8,0xc2,0xd4,0x3f,0x4a,0xb1,0x97,0x86,0x06,0x0b,0x1e,0x70,0x07,0x0e, + 0x3e,0xd4,0xd5,0xf6,0xd5,0x61,0x76,0x7c,0x48,0x3d,0x87,0x9d,0x2f,0xec,0x8b,0x9c), + .s = chunk_from_chars( + 0xc3,0x89,0x61,0x37,0x17,0xec,0x74,0x76,0xec,0xda,0x21,0x44,0xd0,0xe8,0xc8,0xf9, + 0xd6,0x6f,0xb4,0x69,0xc1,0x67,0xc4,0x20,0x9e,0xc0,0xbd,0xee,0xbf,0xb4,0x71,0x66, + 0x5d,0x33,0xda,0xd4,0x7b,0x8f,0x3c,0x31,0x9a,0x76,0xfe,0x8a,0x8a,0x9f,0x66,0x2b, + 0x6c,0x69,0x0b,0x74,0x90,0x3d,0x17,0xf6,0x1e,0x23,0x14,0xe5,0xea,0x8d,0x26,0x67, + 0x0e,0xe4,0xdb,0x4d,0xad,0x29,0x5b,0x27,0x7c,0xa0,0x8a,0xde,0x88,0x0d,0xe2,0xe4, + 0x2d,0x12,0xb9,0x29,0x52,0x76,0x4c,0x1d,0xc8,0x08,0xc2,0x66,0xdb,0xbe,0xdb,0x67, + 0x01,0x58,0xee,0xf3,0x6e,0x89,0x6f,0x55,0xa2,0x03,0xfb,0x99,0x55,0x6d,0xed,0x05, + 0x97,0x41,0x0b,0xa3,0x74,0x86,0xb1,0xd8,0x41,0xf3,0xd6,0xd5,0xc0,0xb3,0x9f,0x2f, + 0x49,0xf0,0xc5,0x79,0x48,0x24,0xfb,0xa9,0x4a,0x8e,0xc7,0xc2,0xb2,0xc9,0x1e,0xad, + 0xd5,0xc8,0xcb,0xe4,0x48,0x95,0xfe,0x3b,0xe3,0xbc,0x17,0x27,0xd6,0xfc,0x0e,0x53, + 0x64,0xf5,0x35,0x78,0x63,0x9d,0x3b,0x3a,0xf6,0x96,0xb7,0x50,0xa0,0x78,0x53,0x69, + 0x4f,0xfe,0x14,0x5a,0x28,0xc0,0x36,0x20,0xc7,0x8d,0xd7,0x37,0x7d,0x09,0x4d,0x92, + 0xc3,0xe0,0x95,0x46,0x88,0x3d,0x47,0x03,0xe6,0x2a,0x98,0xdd,0xf8,0x1f,0xd0,0x1f, + 0xcd,0xf3,0xc4,0xb2,0x15,0x22,0x4f,0xe2,0xb1,0xb4,0x99,0x2a,0xbf,0x31,0xf2,0x0d, + 0x12,0xaf,0xa8,0x68,0x20,0x23,0x90,0xde,0x33,0x4a,0x84,0x6b,0x2d,0x58,0xb2,0x53, + 0xea,0x8a,0xb3,0xc5,0x26,0x5d,0x84,0x77,0x3a,0x65,0x9e,0x8b,0xac,0x7a,0xf4,0x41, + 0x23,0xd9,0xea,0x15,0x06,0x2e,0x65,0xd4,0xd4,0x19,0xcf,0x2d,0x97,0x07,0x7d,0x06, + 0x24,0xf8,0xe5,0xc3,0x6f,0x2c,0x7b,0x35,0xcc,0xf9,0x54,0x35,0xd5,0xc3,0x68,0x86, + 0xff,0x91,0x05,0xa6,0xc1,0xea,0x22,0x5e,0x15,0xea,0x8c,0xbc,0x7b,0x6b,0xf6,0x85, + 0x61,0x51,0xcd,0x76,0xfb,0xb7,0x5b,0x5b,0x98,0xf0,0xe3,0xdb,0x51,0x6a,0x8e,0x21, + 0x81,0x89,0xfc,0xb1,0xcd,0x5d,0xe3,0xca,0xfe,0xaa,0x33,0xef,0x13,0x5c,0x5d,0x8b, + 0x8a,0xa5,0xf8,0x81,0xaf,0xaa,0xca,0xf4,0xc0,0x8b,0xd7,0x28,0x12,0x55,0xbc,0x2a, + 0x33,0xb7,0x6d,0x4a,0x36,0xe0,0xb1,0x70,0xc4,0x55,0x88,0x23,0x9e,0x5b,0x38,0xc6, + 0x79,0xb0,0x8c,0xf8,0x02,0xaf,0x73,0xb6,0xd7,0x9b,0x39,0x35,0x94,0x94,0x61,0xe7), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xab,0x66,0xcc,0x48,0x7e,0xc9,0x51,0xf2,0x11,0x9d,0x6e,0x0f,0xa1,0x7a,0x6d,0x8f, + 0xeb,0x7d,0x07,0x14,0x9b,0xec,0x7d,0xb2,0x07,0x18,0xe4,0xf3,0x1d,0x88,0xc0,0x1f, + 0x9a,0x53,0xd5,0xba,0x7e,0xce,0x3a,0x4d,0xbc,0x67,0xaf,0x6a,0x35,0xd1,0x30,0xea, + 0xe7,0x62,0xcb,0x79,0x62,0xb9,0xae,0x55,0x7c,0xa3,0x84,0x52,0x46,0x40,0x02,0x22, + 0x3f,0x61,0xbc,0xd3,0xc7,0x35,0x3e,0x99,0xd6,0x25,0x58,0xce,0xed,0xfc,0xb9,0x37, + 0x4d,0x4b,0xbf,0x89,0x68,0x0c,0x8e,0x2b,0x95,0x85,0x60,0x3e,0x07,0x6f,0x1c,0xdb, + 0x00,0x58,0x29,0x9b,0x42,0x46,0x84,0x5d,0xc7,0x9d,0x10,0x43,0xb1,0x42,0x2e,0xfe, + 0x84,0x01,0x8e,0x4c,0x93,0x2c,0x45,0xbe,0xb8,0x85,0x1f,0xbf,0x48,0x5e,0x36,0xd2), + .s = chunk_from_chars( + 0xb5,0x13,0x31,0x55,0x2b,0x08,0xbe,0x35,0xa1,0x69,0x8a,0xa6,0x20,0x3d,0x84,0xdb, + 0xff,0xf9,0x00,0x1e,0xd5,0xdd,0x77,0x6f,0x2b,0xe4,0xdd,0xfc,0x07,0xdd,0x46,0x20, + 0xe9,0x65,0x4e,0x82,0xa3,0x34,0x65,0xbd,0x20,0xf1,0x18,0x63,0xc0,0xed,0x02,0xa0, + 0xae,0xa2,0x7a,0x44,0xd4,0x14,0xc3,0x28,0xa9,0x38,0xbf,0x87,0x7e,0x15,0x83,0x8a, + 0xb9,0x9d,0x67,0x0d,0x01,0x41,0x42,0x62,0xe8,0x86,0x5d,0xc1,0xd9,0xfc,0x30,0xfd, + 0x08,0x12,0x69,0x9f,0xa6,0x90,0xc3,0x4f,0x30,0x2f,0x63,0x7e,0xc8,0x02,0xcd,0x40, + 0xac,0x85,0x91,0xe9,0x76,0xc0,0xb8,0xbc,0xcb,0x1b,0x01,0x37,0xaf,0x64,0xa2,0x87, + 0x02,0x10,0xe8,0xfa,0x3d,0xc4,0x31,0xfe,0x09,0x56,0xb8,0xad,0xdf,0xf1,0xe4,0xb1, + 0x8c,0xf0,0x7e,0x07,0x8a,0xa9,0x3a,0xf8,0x1b,0xb3,0x02,0x3c,0x9e,0x59,0x4e,0x66, + 0x59,0x5f,0xd9,0x2b,0x10,0x22,0x6e,0xa1,0x26,0x00,0x5f,0x47,0x24,0x42,0x73,0x52, + 0xc3,0x8e,0x9e,0x85,0xfc,0x2e,0x07,0x23,0xf8,0x0a,0xf1,0xf6,0x15,0x99,0x55,0x0b, + 0x5e,0xf5,0x4c,0x5b,0x38,0xca,0x40,0x57,0x38,0x01,0x7b,0x89,0xcb,0x94,0x68,0xd9, + 0x74,0x1c,0xd6,0xbd,0xf7,0x11,0x21,0x62,0x25,0x1b,0xa1,0xd0,0x83,0xcc,0x37,0x0a, + 0x4a,0x82,0x61,0xc3,0x9b,0x6b,0x94,0xbf,0x21,0xa5,0x3b,0x75,0x64,0x53,0x1a,0xe9, + 0xeb,0xc4,0xcc,0xea,0x7e,0xbb,0x8b,0xd3,0x14,0xb2,0xe1,0x3b,0x58,0xed,0x10,0x18, + 0xae,0x5b,0x41,0x5e,0x0f,0x9e,0x3e,0x19,0xa5,0xea,0xd3,0xa4,0x46,0x03,0xf9,0x06, + 0x74,0xa1,0x90,0xfe,0xbd,0xe2,0x5f,0x8a,0xd8,0x77,0x8a,0xee,0xad,0x4d,0x0f,0x64, + 0xfb,0xae,0x37,0x16,0x6a,0x54,0xe3,0xa7,0x63,0xe3,0x55,0x59,0xbf,0x8c,0x3f,0x17, + 0x3f,0x19,0xff,0x7b,0xab,0x98,0xf3,0xef,0x80,0x3d,0xd5,0x6c,0x07,0x62,0x83,0x99, + 0xaf,0xf8,0x74,0x85,0xee,0x73,0xdb,0xc3,0xdb,0x34,0xec,0xc7,0xbf,0xf3,0xa5,0x32, + 0x26,0xcf,0x87,0xbc,0x81,0xd2,0x56,0xe8,0x0c,0x09,0x52,0x0c,0x8f,0x38,0xe9,0xbc, + 0xda,0x09,0x5e,0x36,0x35,0x12,0x8e,0x1b,0xed,0xd9,0x97,0x06,0x00,0x54,0x6a,0x75, + 0x1e,0xb1,0x1d,0xab,0x42,0xe2,0x89,0xd6,0xfd,0xfe,0xa0,0x4b,0xd5,0x8d,0x45,0x71, + 0xa7,0x9d,0x24,0xbc,0xe4,0x50,0x8c,0x54,0xe1,0xec,0x4c,0xf7,0x5b,0x98,0x5f,0xd3), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xfe,0xf7,0xfe,0x89,0xb9,0xa5,0x99,0x02,0xa7,0x0a,0x1d,0x9c,0xaa,0xd0,0x9c,0xed, + 0x8b,0xee,0x41,0x45,0xed,0xcb,0xe3,0xef,0x7f,0xa6,0xda,0xb3,0x76,0x35,0x12,0x9f, + 0x3b,0x8c,0x5e,0x08,0x60,0x41,0x0e,0xcb,0xd9,0xce,0xc3,0xd8,0x69,0x36,0x82,0xf2, + 0x5a,0xec,0x08,0xb0,0x71,0xf0,0x5d,0xc8,0x21,0x3b,0xac,0x8c,0xff,0x5d,0x52,0xb5, + 0x76,0x65,0x35,0x60,0xbc,0x01,0x57,0x56,0x04,0xe6,0xab,0x90,0xf6,0x72,0x27,0xfb, + 0x5c,0x90,0x1a,0x78,0x1e,0xdd,0xc0,0x27,0x70,0x09,0x13,0xe5,0x4a,0x7f,0xe5,0x13, + 0x18,0x48,0x2c,0x9a,0xb4,0x2c,0x9d,0x2b,0x91,0x1b,0x7c,0xcc,0x39,0xcc,0xb2,0x90, + 0xf9,0xa4,0x20,0xa5,0xda,0xd9,0x33,0x94,0xd4,0xd7,0xb8,0xc5,0x3f,0xe3,0xf2,0x42), + .s = chunk_from_chars( + 0x45,0x06,0x8c,0xa6,0xd8,0x2f,0x2c,0x12,0x39,0x25,0xcd,0xe1,0x19,0x71,0x21,0x5d, + 0x8f,0xa4,0xa4,0xdf,0x68,0x48,0xbb,0x76,0x54,0x86,0x87,0x00,0x97,0x87,0x64,0x85, + 0x46,0x38,0x92,0x1b,0xea,0x58,0x69,0x28,0x0d,0xc6,0xad,0x95,0x81,0xab,0x43,0xff, + 0x70,0x12,0x96,0x99,0x48,0xa5,0x67,0x7f,0xa0,0xa6,0x61,0x36,0xa3,0x16,0xa4,0xbf, + 0xec,0xb8,0x9a,0xdf,0x41,0x31,0xb5,0xbe,0xdf,0x3d,0x46,0x93,0xb7,0x80,0xd1,0x33, + 0xaf,0x9b,0xf9,0xc1,0x33,0x30,0x5b,0xe7,0x83,0x74,0xaf,0xda,0x3b,0xa3,0x85,0x42, + 0x03,0x32,0x44,0x81,0xa9,0xd1,0x0b,0x9c,0xa9,0xb9,0x2d,0xc7,0xd7,0x4d,0xf5,0x31, + 0x87,0x2d,0xdf,0xc7,0x6c,0xaa,0x82,0xde,0x02,0x0e,0x2c,0x41,0x56,0x43,0xcb,0xcc, + 0x42,0x80,0xe6,0xd2,0xf4,0x37,0x1f,0xda,0x7d,0x92,0x49,0x31,0x4a,0x8f,0x43,0x76, + 0x48,0x99,0x1a,0x9b,0x03,0xd7,0x1b,0x58,0x39,0xad,0x38,0xa1,0x55,0x5a,0xd3,0x45, + 0x26,0x99,0x4b,0xa5,0x68,0x70,0xb6,0xea,0x18,0x01,0x12,0x95,0xf2,0xca,0x2b,0x07, + 0x13,0xb2,0xe9,0x2a,0xd7,0x76,0x80,0xc0,0xdc,0x5b,0xed,0x8d,0x3b,0x9b,0x31,0xac, + 0x14,0xdf,0x76,0x99,0x49,0xc4,0xa4,0x3e,0xa6,0x7f,0x6d,0xee,0xb3,0xdc,0x9e,0xd5, + 0x89,0xea,0x4e,0x8a,0x2c,0xf6,0x69,0x5d,0xf4,0x6f,0x94,0x6f,0x14,0x67,0xb2,0x8e, + 0x87,0x54,0x77,0xae,0x4e,0x64,0x50,0x80,0xfa,0xfd,0xa6,0xdd,0x55,0x1d,0x2c,0x02, + 0xfd,0x6b,0x2b,0x19,0x4f,0xc0,0xbd,0xb0,0x50,0xe0,0x6d,0x4c,0x78,0x41,0x05,0xf5, + 0xa3,0x3b,0x53,0xe7,0x30,0x98,0x05,0x59,0x63,0x07,0x1e,0xfc,0x1b,0xf3,0x97,0xfd, + 0x32,0x5f,0x3a,0x6f,0x4e,0x10,0xd7,0x6f,0x04,0x11,0xa0,0x01,0xe6,0x2e,0xc7,0x37, + 0x29,0x01,0x83,0x16,0xf5,0x63,0x10,0xf8,0x93,0xa5,0x93,0x63,0xd1,0xf6,0xfe,0x5c, + 0x17,0x44,0x4b,0x6c,0x72,0x8a,0x49,0x33,0xb7,0x52,0x12,0xfd,0xfa,0x25,0x8e,0x40, + 0x18,0xb7,0x76,0x39,0x51,0xab,0x4e,0x50,0x96,0x41,0x1d,0xf9,0xe5,0xbc,0x16,0xdf, + 0x38,0x96,0xe4,0x6c,0x97,0x3d,0x32,0xac,0x92,0x76,0xa4,0xe2,0xb5,0xb8,0x0e,0x3d, + 0x8d,0x79,0x8d,0xc0,0x47,0x0b,0x45,0x09,0x6b,0x4d,0x73,0x86,0x69,0xce,0x05,0x2e, + 0xd8,0x18,0xe5,0x60,0xaf,0x1e,0x92,0xc9,0x15,0x18,0x7d,0x66,0xcc,0x30,0x8b,0x70), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x82,0xb3,0x84,0x0e,0xeb,0x95,0xc9,0xc5,0x77,0x24,0xc7,0x0f,0x11,0x2b,0x6c,0x2d, + 0xc6,0x17,0xc3,0x17,0x85,0xac,0xd0,0xc8,0x23,0xf8,0xbc,0xdd,0xa2,0x85,0x32,0x5e, + 0xb3,0xd3,0x08,0xdc,0x79,0x05,0x22,0xbc,0x90,0xdb,0x93,0xd2,0x4e,0xe0,0x06,0x32, + 0x49,0xe5,0x5d,0x42,0x19,0xad,0x97,0x14,0x5f,0xea,0xf7,0xf3,0x06,0x68,0x62,0x3c, + 0xc8,0x89,0x0a,0x70,0xf4,0xf1,0x49,0x86,0x6f,0x82,0xcf,0x86,0xf9,0x8b,0x00,0x53, + 0xb2,0x3c,0x98,0xc8,0xdd,0x5e,0x91,0x07,0xe3,0x41,0x46,0x0e,0x9b,0xf5,0xd8,0x8c, + 0xc8,0xbc,0xd1,0xf2,0xe4,0xc0,0x07,0xcc,0x1c,0x02,0xc4,0x52,0x9b,0x93,0x23,0x3a, + 0x0b,0x06,0xbd,0xd1,0x59,0x25,0x85,0x4a,0xb9,0xe3,0xf1,0x56,0xeb,0x92,0x5b,0xf5), + .s = chunk_from_chars( + 0x05,0x93,0xb9,0xfd,0x44,0x21,0x45,0x23,0x76,0xd2,0x7b,0xc7,0xa2,0x80,0x10,0x1c, + 0xfd,0x6e,0x88,0xa6,0x72,0x7d,0x7d,0x77,0xcf,0x65,0xce,0xb7,0x23,0xec,0xd2,0x57, + 0xf3,0x2f,0xe1,0x02,0x77,0xe8,0x57,0x98,0xe0,0xda,0x75,0x91,0x77,0x36,0xda,0x1a, + 0x3b,0xfc,0x22,0xad,0xc7,0x65,0x8f,0xbb,0x84,0xda,0x6e,0xbe,0xa0,0xb0,0x7d,0x1c, + 0xc4,0x05,0x73,0x2f,0xb0,0x40,0xb5,0x85,0xc1,0xb6,0x3c,0x80,0x34,0x06,0x9b,0xff, + 0xb8,0x22,0x06,0x56,0xf1,0xac,0x54,0xce,0x69,0x37,0x20,0xd6,0xfb,0x1b,0x5a,0xec, + 0x67,0xb0,0x3c,0x88,0x7c,0x80,0x77,0xda,0x14,0x8d,0x10,0xf4,0x8a,0xf7,0xc0,0x28, + 0xf9,0x92,0xb1,0x8f,0x13,0xc0,0xe5,0x75,0x30,0xc0,0x86,0xd7,0x75,0x48,0x3d,0xa5, + 0xf6,0x6f,0x3a,0x6a,0x19,0x18,0x78,0x68,0x34,0x0a,0xc6,0x3c,0x62,0x12,0xbc,0xbd, + 0x6c,0xbb,0x7b,0xed,0xa8,0x62,0x0a,0xfd,0x9b,0x66,0xde,0x47,0x47,0x3e,0xf2,0x4d, + 0x1b,0x6a,0x36,0xf4,0xec,0xe9,0xad,0xd4,0x95,0x14,0xfd,0xf1,0xd8,0x4c,0x7a,0x78, + 0x5b,0x7f,0x0e,0x00,0xf3,0x82,0x23,0x58,0x99,0x79,0x0f,0x47,0x2d,0x13,0xf4,0x85, + 0x58,0xa4,0x31,0x47,0x42,0xf3,0x76,0x80,0x8d,0xec,0x96,0xed,0xd2,0xe2,0x29,0xe9, + 0x43,0xf7,0xb9,0x83,0xbe,0xa5,0xec,0x6e,0xdf,0xa5,0xe9,0xbb,0x37,0xf5,0x88,0xe5, + 0x5e,0xf6,0x2e,0xbc,0x92,0x14,0xbe,0xaf,0x9d,0xa5,0x02,0x43,0x4e,0x10,0x88,0xdf, + 0x27,0x2c,0x6c,0x77,0xc1,0xe1,0xd8,0x97,0xc4,0x7b,0xea,0xb7,0x7e,0x3b,0xbe,0x31, + 0x7f,0x8d,0x43,0xd2,0x1f,0xd7,0xe9,0x43,0x37,0xc7,0xe2,0x63,0xe2,0x86,0x7b,0xf5, + 0x80,0xa2,0xa8,0xec,0xb9,0xe3,0x6a,0xb7,0xd3,0xe1,0xd5,0xcf,0x9a,0x23,0x23,0x09, + 0x53,0xd5,0x9d,0xf0,0xd7,0xe2,0x35,0x58,0xfb,0x61,0x2b,0x79,0x18,0xab,0xba,0x31, + 0xb1,0x64,0xce,0x17,0x88,0x18,0xa1,0xa9,0xe6,0xb6,0x68,0x7f,0x4d,0xe6,0x85,0xd7, + 0x0e,0x16,0xbe,0xf6,0xe1,0x92,0xfa,0xed,0xfe,0x0b,0x2b,0x95,0x47,0x7d,0x37,0xb0, + 0xa3,0xa2,0xd0,0x02,0xf3,0x3e,0xf4,0x32,0x1c,0xb9,0x05,0x04,0x0c,0xe0,0x6f,0xda, + 0x1c,0x98,0xa0,0x08,0x76,0x7f,0xbc,0x78,0x1a,0x1e,0xaf,0x33,0x75,0xda,0xb8,0x66, + 0x4b,0x59,0x03,0x36,0xb9,0x9e,0x15,0x7b,0x86,0x87,0xa6,0x60,0x2f,0xef,0x6a,0x3b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xe1,0x53,0xcc,0xa4,0x43,0x1e,0xd9,0x71,0x3f,0x47,0x44,0xba,0x05,0x4f,0x5f,0x19, + 0x1c,0xb3,0x7b,0x28,0x01,0x08,0xae,0x3a,0x11,0x4a,0xd3,0x49,0xa8,0x72,0xd1,0x30, + 0x8b,0x46,0x21,0x1a,0x83,0x75,0x8a,0x3b,0x4b,0xe3,0x2f,0xbe,0xac,0x42,0xcc,0xfe, + 0xe7,0xe2,0x3d,0xf8,0x53,0xca,0x40,0x01,0x47,0x07,0x7b,0xb4,0x3a,0x44,0xc1,0x2f, + 0x29,0x9b,0x91,0x7f,0x3a,0xab,0xdf,0x58,0x9e,0xeb,0x17,0x09,0xbb,0x3d,0x60,0xb0, + 0x8b,0xc7,0x1e,0xaa,0x3f,0xfe,0xba,0x4e,0x29,0x03,0xa5,0xdb,0xd8,0x33,0x9a,0xae, + 0x85,0xfa,0x24,0xb9,0xae,0xe7,0x61,0x30,0x00,0x06,0x05,0x85,0x7a,0x6a,0xa1,0x97, + 0xd0,0x09,0x26,0x27,0x0d,0xcd,0xa5,0x8b,0x7d,0xe7,0x58,0xa6,0xca,0x67,0xe6,0x17), + .s = chunk_from_chars( + 0xa8,0x35,0xcd,0x41,0x46,0xbe,0xf4,0x65,0x64,0x2d,0x49,0x49,0x36,0x26,0x8a,0x31, + 0x1a,0x54,0x90,0xd2,0xc9,0xf9,0x16,0x6c,0x6c,0xe9,0x82,0x16,0xa9,0xa2,0x3a,0x64, + 0x35,0x97,0x30,0x0a,0x00,0x50,0xe6,0x44,0x5a,0xbd,0x5a,0x9b,0xfc,0x7a,0x2d,0x9b, + 0x70,0x72,0x6c,0x82,0x4c,0x38,0x3b,0xf5,0xac,0xad,0xdd,0xdc,0x34,0xd4,0x34,0xa3, + 0x1e,0x53,0x14,0xd2,0x5f,0xb5,0x8e,0x25,0x8f,0x51,0x88,0x66,0xc1,0x36,0xe5,0x28, + 0x55,0xc1,0x6f,0xe6,0x4f,0xf8,0xf1,0xc4,0xd6,0x6c,0x4e,0x9e,0x39,0xb8,0xcb,0x11, + 0x96,0xd8,0x09,0x44,0xd0,0x74,0x6c,0x0a,0x3e,0x17,0x69,0xcd,0x41,0x67,0xdf,0x72, + 0xab,0x5e,0x4c,0x9d,0xba,0xe9,0xcb,0x35,0xf4,0x82,0x8e,0x12,0x09,0x9f,0x9b,0x36, + 0xa5,0xa7,0x0c,0x48,0xd4,0xae,0xc9,0x87,0x2d,0x7b,0x19,0xe1,0x29,0x1b,0x33,0xcb, + 0xdf,0x08,0xa2,0x26,0x3d,0x50,0x0c,0x0a,0x83,0xb5,0x23,0x7e,0xf6,0xce,0x92,0xde, + 0x34,0x4b,0x3b,0x41,0xd0,0xd0,0x74,0x04,0xfc,0xd5,0x46,0x7b,0x04,0x6b,0x52,0xb8, + 0xf8,0x5f,0xc6,0xb5,0xd7,0xaf,0xc4,0x37,0xf1,0xee,0x9e,0x78,0x39,0x0c,0xa9,0xbb, + 0x6c,0xec,0x61,0x88,0x85,0xec,0xe2,0x97,0x58,0xf2,0xfd,0x6f,0x4e,0x5f,0x4f,0x89, + 0x69,0x35,0xde,0x5f,0x67,0xcc,0x04,0x05,0x5a,0x4c,0x4c,0x0f,0xba,0x5d,0xef,0x8d, + 0x2c,0xaa,0x17,0x93,0x31,0xa8,0x55,0x01,0xed,0x25,0x82,0x2a,0xe7,0x9d,0xa9,0xbc, + 0x81,0x5c,0xc3,0x9c,0x6a,0x97,0x92,0x11,0x08,0x3e,0x86,0x83,0x13,0x6c,0x94,0x2e, + 0x1e,0x17,0xe9,0xeb,0x8f,0x84,0xaa,0xcf,0x09,0x1a,0xa1,0xe5,0x16,0x65,0xfa,0xe4, + 0x46,0xbc,0x48,0xc3,0x04,0xaf,0x65,0x39,0x1f,0x27,0x9a,0xfb,0x98,0xb9,0x2e,0x04, + 0xc2,0xb7,0x3d,0x9d,0x94,0xe9,0x91,0x19,0x8f,0xe7,0x78,0x1f,0x0f,0x96,0x96,0xfc, + 0xba,0x2c,0x03,0x48,0x5f,0x76,0xe6,0xde,0x30,0xb9,0x53,0x5c,0xf3,0x90,0x3d,0xb2, + 0xf3,0xaf,0xa8,0x51,0xa4,0x7b,0xcd,0xe7,0x2d,0x4e,0xd2,0xe8,0xfa,0xbf,0x9b,0xb7, + 0xd4,0x69,0x6c,0xb4,0xab,0x8c,0x28,0x9b,0x0c,0x21,0xe1,0xf9,0x79,0xeb,0xc5,0x32, + 0xe2,0x80,0xcd,0x90,0x10,0xdf,0x4e,0xe7,0x2f,0x84,0xbb,0x9e,0x82,0x75,0x28,0x28, + 0xf1,0x67,0x03,0x0c,0x0f,0xe3,0x48,0xeb,0xc3,0x1e,0xc1,0x7b,0x8f,0x07,0xd9,0x4b), + },{ + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x9c,0x63,0x89,0x9d,0xfc,0x7b,0xdc,0x0d,0xb3,0x84,0x72,0x72,0x44,0xca,0xf7,0x1e, + 0xcf,0xb9,0xb8,0x79,0x2b,0x9f,0x57,0xe9,0x36,0xb3,0xc2,0xf5,0x69,0x55,0x65,0xa9, + 0xb0,0x97,0x9f,0x3c,0x78,0xfd,0x73,0xf0,0x09,0x81,0x81,0x3a,0x16,0xda,0x34,0x23, + 0x92,0xfe,0x3c,0xee,0xc6,0xe6,0x3f,0xfb,0xa1,0x91,0xcb,0xeb,0x4f,0x4b,0x90,0x05, + 0x0d,0x2f,0xcc,0xd8,0x3b,0xeb,0x06,0x22,0xb2,0xc3,0xff,0xf1,0x59,0xd9,0xe6,0x08, + 0xf3,0xab,0xcb,0x84,0x3b,0xdd,0x56,0xc0,0x33,0x39,0xb9,0x75,0xb9,0xf4,0xe3,0x26, + 0x5b,0x32,0xf6,0xbb,0x6c,0xcd,0xfc,0x6c,0x57,0x52,0xd6,0xe0,0x34,0x4d,0x74,0x96, + 0x99,0xc7,0x4c,0x85,0xb3,0x0c,0x04,0xff,0x95,0xb2,0x72,0xdb,0xcf,0xd6,0xc7,0xd3), + .s = chunk_from_chars( + 0x4d,0x38,0xa2,0x97,0x30,0x2a,0xd0,0x77,0x0d,0x97,0x29,0xce,0x5b,0x72,0x12,0xee, + 0xf2,0x87,0xce,0x02,0x50,0xf4,0x03,0xe3,0x2b,0x4a,0xcc,0x36,0x17,0xdc,0x0d,0x2e, + 0xdc,0xcc,0xc2,0xd5,0x80,0xdd,0xbd,0xbc,0xa5,0x72,0x2b,0x70,0x70,0x40,0x58,0xa3, + 0xb8,0x07,0xf5,0x92,0xe4,0x00,0xbd,0x56,0x3f,0xca,0xa8,0xb0,0x66,0xa6,0x14,0xb4, + 0x90,0x6f,0x14,0x33,0x96,0x8e,0xd2,0xf5,0x20,0xa2,0xf6,0xb0,0x34,0xd4,0xb2,0xd6, + 0x89,0x0a,0x24,0x1a,0xfd,0x1a,0xdb,0x86,0x39,0xa6,0xca,0xd9,0xdb,0xfd,0x2e,0x27, + 0x8d,0xfe,0xbf,0x79,0x74,0x0d,0x75,0xf2,0x95,0x75,0x9d,0x29,0x13,0x0b,0x19,0xab, + 0x19,0x98,0x3d,0xd6,0x8f,0x77,0x9d,0xe4,0x1f,0xfe,0xfd,0x4e,0x82,0xb5,0xe6,0x2f, + 0x72,0xf9,0x0e,0xfb,0x73,0x43,0x7f,0x08,0xa2,0x50,0x3d,0xd9,0x81,0x9d,0xae,0x20, + 0xba,0x97,0x06,0xc1,0x99,0xde,0x9c,0xf8,0x84,0x43,0x3e,0xeb,0x75,0x62,0x86,0xa8, + 0x5e,0xae,0x14,0xbf,0x9f,0x6d,0xbe,0xb7,0x05,0x46,0x1d,0x91,0x82,0x22,0x82,0xf1, + 0x8e,0xfb,0xb1,0x05,0x89,0xa5,0x78,0xf2,0xc9,0xc3,0x45,0xb0,0x79,0xa7,0xe9,0xdd, + 0x07,0xfd,0x4b,0x34,0x05,0x1b,0x27,0x11,0x97,0x29,0x90,0x6c,0x77,0xdf,0xb7,0xd2, + 0xf8,0xfa,0x6b,0xdd,0x5f,0xaa,0x1e,0x13,0x2b,0xfb,0xa9,0xd3,0x91,0xe6,0x63,0x95, + 0xe6,0x7f,0x01,0x35,0x3f,0xa2,0x75,0xea,0xce,0x8b,0x53,0xaa,0x91,0xcb,0x6f,0xb6, + 0x93,0xe1,0x91,0x91,0xd4,0x2a,0x4c,0x1a,0x85,0xa0,0xc5,0x04,0xb1,0xc8,0x5f,0x49, + 0xa4,0xd6,0x09,0x36,0xde,0xe4,0x64,0x6a,0xca,0x62,0xa9,0x4a,0xa4,0xbc,0x78,0x28, + 0xc1,0xff,0xaf,0xde,0x8b,0xe6,0x56,0x31,0x7d,0x50,0x6a,0xbe,0xc1,0x79,0xcc,0x90, + 0x19,0x1d,0x12,0x35,0x6f,0xf5,0x06,0x44,0xd3,0xe0,0x1a,0xa5,0xbc,0xfd,0xd7,0x1d, + 0x3c,0x82,0x8d,0xc3,0x53,0x9d,0xc0,0xcf,0x3f,0xe8,0xb9,0xb9,0x1e,0x0c,0x25,0x24, + 0xf6,0xa3,0x71,0x03,0x79,0xc9,0x0a,0xff,0xd0,0xd0,0xa5,0x0d,0x74,0x38,0x7f,0x9c, + 0xa8,0x8b,0x46,0x46,0x3e,0xf1,0xbd,0xba,0x58,0xcc,0x9a,0x36,0xe5,0xc2,0xc4,0x35, + 0xa2,0x0d,0x96,0x83,0x50,0xd1,0x5d,0x94,0x1c,0x32,0x12,0xcd,0xce,0x81,0x55,0x92, + 0xb3,0x10,0xd2,0x59,0x86,0x0d,0xe1,0xdc,0x1a,0x3d,0x70,0xac,0x22,0x30,0x2a,0x51), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x04,0x84,0x6c,0x2e,0x67,0x6a,0xc7,0x31,0x60,0xbf,0x4e,0x45,0x65,0x2b,0xdc,0x6c, + 0xc4,0xd4,0xc9,0x28,0x45,0x77,0xb4,0x32,0x0a,0xb7,0x7f,0x6e,0xbb,0xb5,0x9a,0x1f, + 0xe0,0xe0,0x85,0x58,0x8e,0x0f,0x90,0xb3,0x46,0xcd,0xe6,0x44,0x1a,0xf3,0xc9,0xd0, + 0x11,0x7d,0x1f,0x3b,0xcd,0x96,0x2e,0x40,0x6b,0xf5,0xa4,0x65,0xab,0x6c,0xda,0x2d, + 0x51,0xbe,0x59,0x8f,0xcb,0xb2,0x9e,0xa7,0x13,0x65,0x1a,0xac,0xd7,0xe4,0x7d,0x22, + 0xd8,0xfa,0x34,0x50,0x90,0x47,0x30,0xf5,0x17,0x92,0xea,0x37,0x47,0x61,0xa4,0xdc, + 0x1f,0xc6,0xf1,0xbc,0x65,0x7b,0x77,0x76,0x8f,0x31,0xf4,0x63,0xe4,0x26,0x7f,0xc8, + 0xdf,0xf6,0x11,0x50,0xd4,0xb3,0x43,0xb9,0xd5,0x37,0x59,0xcd,0xd7,0xb9,0x80,0x94), + .s = chunk_from_chars( + 0x10,0x3b,0xee,0x57,0xe2,0x5b,0xe8,0xc3,0xa2,0xf7,0x74,0xe7,0x39,0xb4,0x7f,0x93, + 0x43,0x5e,0x41,0x49,0x32,0xc0,0x49,0x4b,0x6b,0x6a,0xa2,0x47,0x5b,0xf7,0xc9,0x30, + 0x5c,0x73,0x74,0x7e,0x0a,0xdf,0x82,0xc2,0x03,0x20,0x07,0xb3,0xf7,0x5a,0x69,0xc9, + 0x31,0x12,0x61,0x7a,0x62,0x56,0x6c,0x5a,0x2d,0xea,0xa2,0x5f,0xb9,0x52,0x09,0xda, + 0x49,0xfe,0x9c,0x16,0x1c,0xb2,0xff,0xa4,0x0f,0xd9,0xd7,0x7f,0x1f,0xf6,0x60,0xc8, + 0xb6,0xcd,0x3b,0x54,0xe3,0xe7,0x9a,0x75,0x9c,0x57,0xc5,0x71,0x98,0x02,0xc9,0x31, + 0x1d,0xb7,0x04,0xba,0x3c,0x67,0xb4,0xa3,0x11,0x37,0x54,0xa4,0x1b,0x8d,0xa5,0x9c, + 0x64,0x5b,0xe3,0x90,0x9e,0x7d,0xb7,0xe7,0xcf,0x72,0x94,0xda,0xb4,0x4f,0x74,0x24, + 0x0f,0x81,0xa2,0x81,0xee,0xcd,0x6e,0xf3,0x1c,0x7c,0xf1,0x8b,0x1a,0x19,0xc7,0xd0, + 0x2a,0x31,0x2b,0x91,0xd6,0xed,0xfa,0xa9,0x54,0x46,0x2d,0x34,0x74,0x0a,0xf5,0xab, + 0x70,0x8d,0xb5,0xa1,0x0b,0x00,0xc5,0x42,0xbe,0x82,0xfa,0x2b,0x20,0x26,0xb0,0x9e, + 0xf3,0x8a,0x40,0x01,0x45,0x7e,0x27,0xa6,0x02,0x37,0x70,0xe4,0xb4,0xd5,0x00,0x32, + 0x67,0xc8,0x5c,0x9e,0xea,0x1d,0x5f,0x8d,0x77,0x0b,0xd4,0x0b,0x55,0x4d,0x5b,0x4d, + 0xaf,0x14,0x6d,0xcc,0xab,0xac,0x3e,0xa8,0xa1,0x3a,0x05,0xc3,0xbd,0xdf,0xc9,0x71, + 0xc5,0x15,0x8f,0xac,0x02,0x7c,0xa1,0x9b,0x72,0x32,0x62,0x1e,0x9d,0x2e,0x37,0xb6, + 0xa6,0x55,0xaf,0x54,0x5e,0x44,0xa2,0x98,0xbe,0x78,0xcd,0x47,0x5c,0x22,0xa4,0x8b, + 0xff,0x7c,0x34,0x94,0xa5,0xf8,0xa6,0xab,0xdf,0x1a,0x46,0xf9,0xde,0x08,0x2e,0x37, + 0x4f,0xd5,0x98,0x86,0x7d,0x61,0xe4,0xd5,0x1d,0xae,0xd8,0x41,0x52,0xe4,0x3c,0xc6, + 0xa2,0xaf,0xfa,0xe2,0x05,0xed,0xc5,0x26,0x13,0x48,0x0d,0x41,0x1a,0xba,0x84,0xfc, + 0xc9,0xb6,0x9d,0x1c,0x28,0xf1,0x6f,0x76,0x83,0x69,0x01,0xa7,0xc5,0xb3,0xeb,0x2f, + 0x2c,0x94,0x0d,0x0a,0x3f,0xad,0x38,0xa8,0xef,0xab,0x96,0x8a,0x0c,0x85,0xeb,0x22, + 0xe1,0x1d,0x3d,0x08,0x61,0x13,0x6c,0xed,0x5f,0x06,0x73,0x4f,0xdf,0x8d,0x4f,0x15, + 0x1d,0x23,0x86,0x1b,0x1c,0xba,0x9b,0x9c,0x58,0x0d,0x33,0x50,0xc7,0x6d,0x4d,0xc8, + 0x08,0x46,0x1d,0x5f,0x87,0x2e,0xc5,0x48,0xb2,0xb4,0x27,0xdf,0xf7,0x4b,0x1d,0x1a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xdb,0x6c,0x9d,0x4b,0xad,0xb1,0xd9,0xb7,0x4d,0x68,0x34,0x64,0x48,0xb4,0xd5,0x34, + 0x06,0x31,0x78,0x3b,0x5a,0x35,0xac,0x24,0x58,0x56,0x3e,0xd0,0x67,0x2c,0xf5,0x41, + 0x97,0x58,0x7f,0xb7,0x34,0xc4,0xac,0x18,0x9b,0x2d,0xda,0x95,0x4c,0xdf,0xb1,0x8b, + 0x41,0xc0,0x10,0xa7,0x7e,0x90,0x46,0x4e,0xea,0x6f,0x86,0x3c,0x5d,0xa0,0x95,0x6b, + 0xfa,0x8c,0xc6,0x36,0xbf,0x0a,0x28,0xbe,0x5a,0xdd,0xfe,0x8d,0x3e,0x7e,0x6f,0x79, + 0xf7,0x1d,0x7f,0xcb,0xba,0xe2,0x3e,0xa1,0x41,0x78,0x3f,0x91,0xd6,0xcc,0x4c,0x8f, + 0xad,0x12,0x58,0x11,0x76,0x0a,0xb5,0x71,0x33,0x81,0x88,0x92,0x47,0x1a,0x79,0xc6, + 0xd0,0x4e,0xaf,0xef,0x37,0xb2,0xfb,0xe5,0x06,0x78,0x53,0x18,0xf9,0x39,0x83,0x77), + .s = chunk_from_chars( + 0xd4,0x80,0xd5,0xa9,0x79,0xad,0x1a,0x0c,0x4c,0xa3,0x29,0xeb,0xd8,0x8a,0x4a,0xa6, + 0x94,0x8a,0x8c,0xf6,0x6a,0x3c,0x0b,0xfe,0xe2,0x25,0x44,0x09,0xc5,0x30,0x54,0xd6, + 0xff,0xf5,0x9f,0x72,0xa4,0x6f,0x02,0xc6,0x68,0x14,0x6a,0x14,0x4f,0x8f,0x2b,0xa7, + 0xc4,0xe6,0xb4,0xde,0x31,0x40,0x0e,0xba,0x00,0xae,0x3e,0xe8,0x75,0x89,0xdc,0xb6, + 0xea,0x13,0x9e,0x70,0xf7,0x70,0x4f,0x69,0x1b,0xc3,0x7d,0x72,0x2f,0x62,0xbb,0x3b, + 0x2c,0xd3,0x03,0xa3,0x4d,0x92,0xfd,0xe4,0xde,0xb5,0x4a,0x64,0xdd,0x39,0x18,0x43, + 0x82,0xd5,0x9c,0xca,0xf0,0xc0,0x7a,0x7e,0xa4,0x10,0x7d,0x08,0x08,0x26,0x0e,0xd8, + 0xd4,0x21,0xcb,0x8b,0x14,0x07,0xcd,0xf9,0xe9,0x15,0x15,0x92,0x82,0xb9,0xf7,0xbf, + 0xfd,0xbf,0x40,0xd8,0x77,0x88,0x5d,0xa7,0x39,0x9e,0xde,0xbd,0x30,0x0a,0x7e,0x77, + 0xa9,0x08,0xf7,0x56,0x65,0x9a,0x18,0x24,0xf9,0x5c,0x8a,0x81,0x2a,0xa5,0x40,0xeb, + 0xaa,0x64,0xab,0x54,0xa2,0x33,0x72,0x3d,0xb5,0x5c,0xaa,0x8b,0x44,0x66,0xea,0x9a, + 0xe6,0x61,0x4a,0xd1,0xbb,0x86,0x9e,0x9d,0x8e,0x0d,0x03,0x2f,0x39,0x01,0x67,0x1e, + 0x94,0xc0,0xb6,0x73,0xbe,0x65,0x37,0xcd,0x54,0x27,0x8e,0xd3,0xda,0x2e,0x1e,0xdb, + 0xc0,0x4e,0xe3,0xa9,0xe8,0x07,0x0d,0x73,0xba,0x0f,0xfb,0x93,0xe6,0x0f,0x30,0xb8, + 0x7f,0xf3,0x86,0x2e,0x9c,0x53,0x90,0x8f,0x2c,0x8e,0x99,0x91,0x56,0x68,0xc1,0xf4, + 0x66,0x35,0xe0,0x5b,0xf7,0x16,0x30,0x51,0xff,0x9d,0x92,0xbc,0x71,0xa6,0x26,0x55, + 0x3c,0x69,0xdf,0xdd,0x06,0xa4,0x9f,0x7f,0xf1,0xed,0x51,0xe9,0x18,0xf3,0xed,0x80, + 0x1d,0xae,0x62,0xca,0x27,0x6d,0x70,0x63,0xd7,0x2a,0x6e,0xbc,0x13,0x6b,0xa0,0x6c, + 0xfe,0xdf,0x5a,0xa2,0x32,0x77,0xe8,0x10,0x08,0xc6,0x3b,0x2e,0x00,0x83,0xd0,0xfd, + 0x68,0x14,0xf6,0xd4,0xb4,0xb4,0x0a,0x42,0xe8,0xc0,0x20,0x6f,0x3c,0x35,0x6a,0x5e, + 0xc7,0x09,0xb7,0xc8,0xa4,0xb7,0x4b,0x7b,0x48,0xd5,0x3c,0x9d,0x86,0x94,0xd2,0x73, + 0x59,0xc2,0xc7,0x70,0x19,0x38,0xd2,0xf0,0x16,0x17,0x21,0xa5,0x73,0x13,0xbb,0x1a, + 0x2e,0x11,0xda,0x21,0x58,0x72,0x49,0x81,0x82,0x49,0x3d,0x85,0x17,0x04,0x3b,0x4c, + 0x03,0xf9,0x34,0x46,0xaa,0xc9,0x38,0x30,0x27,0x65,0x42,0x02,0x6c,0xe8,0x30,0x55), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xd5,0xdd,0x3b,0x6c,0xe9,0x77,0x2d,0x9a,0x97,0xfe,0x21,0x64,0x84,0x97,0x78,0x3b, + 0xac,0x5b,0xb5,0x25,0x4a,0xad,0x82,0xb6,0xf7,0xcb,0xf4,0x3b,0x15,0xa4,0x0f,0x38, + 0x6e,0xea,0x8d,0x15,0x19,0x67,0xdb,0x14,0x9e,0x94,0x65,0x86,0x59,0x68,0x13,0x3f, + 0x24,0x6e,0x13,0x47,0x30,0x1a,0xda,0xd2,0x34,0x5d,0x65,0x72,0xca,0x77,0xc5,0x8c, + 0x15,0x0d,0xda,0x09,0xa8,0x7b,0x5f,0x4d,0xa3,0x6b,0x26,0x6d,0x1f,0xa7,0xa5,0x9c, + 0xcd,0x2b,0xb2,0xe7,0xd9,0x7f,0x8b,0x23,0x15,0x43,0x19,0x23,0x53,0x0b,0x76,0x2e, + 0x12,0x6e,0xac,0xaf,0x5e,0x5a,0xc0,0x2f,0xf1,0xaa,0xef,0x81,0x9e,0xfb,0x37,0x3c, + 0xf0,0xbb,0x19,0x6f,0x0e,0x82,0x9e,0x8f,0xe1,0xa6,0x98,0xb4,0x79,0x0a,0x2a,0x05), + .s = chunk_from_chars( + 0xbf,0x9e,0x8b,0x4f,0x2a,0xe5,0x13,0xf7,0x3d,0x78,0x89,0x58,0x00,0x37,0x33,0xdb, + 0xe2,0x09,0x57,0xb1,0x47,0xb1,0x7c,0x3f,0x4f,0xd6,0xd0,0x24,0xe8,0xe8,0x3f,0x07, + 0xb6,0x5d,0x9f,0x3d,0xbc,0x3b,0x1f,0xe8,0x4d,0xa0,0x21,0xce,0xab,0xfc,0xcd,0x8c, + 0x57,0xa0,0x14,0xfb,0xe5,0xa2,0xbc,0xe3,0xe4,0x05,0x1b,0x7d,0x03,0xe0,0x9f,0xc0, + 0x35,0x0b,0x6a,0x21,0xfa,0xd2,0x14,0xae,0x7a,0x07,0x32,0x77,0xc7,0x7a,0x40,0xdc, + 0x44,0xa5,0xae,0xea,0x51,0x94,0xa7,0x56,0xb6,0x9c,0x93,0x97,0x7b,0x69,0xee,0x92, + 0x94,0x36,0x0e,0xaa,0x73,0xa5,0x74,0x54,0x8f,0xa6,0xa9,0x74,0xa7,0xcd,0x5a,0x6a, + 0xdc,0xf0,0x9e,0x80,0x63,0x11,0x56,0xaf,0x85,0xa8,0xe5,0xc5,0x31,0x7e,0x18,0x9e, + 0xea,0xd4,0x7e,0x2e,0xad,0x65,0xc3,0x81,0x39,0x6b,0x5c,0xac,0xde,0x26,0x0e,0x93, + 0x72,0x84,0xa8,0xe9,0x0e,0xff,0x2c,0xbc,0xb9,0xde,0xe2,0x29,0x25,0xf2,0xf7,0x25, + 0x6f,0x74,0xc6,0x7c,0xf3,0xff,0xc7,0xb8,0xce,0x65,0x7e,0x8d,0x13,0x5f,0x0f,0x37, + 0x6d,0x9d,0x93,0x6a,0x79,0x79,0x2c,0x98,0x16,0x14,0xd9,0x8e,0x3f,0x7d,0x66,0x2a, + 0x4f,0xd4,0x6d,0xcd,0xa9,0x69,0x16,0xb3,0x2f,0x36,0x6e,0xd2,0x7d,0xab,0x18,0x8f, + 0x18,0x4b,0x98,0x4d,0xf0,0xb5,0x59,0x71,0x0d,0x8f,0xf2,0x04,0x0b,0xe4,0x62,0xf9, + 0x19,0x43,0x50,0x1b,0xda,0x48,0x40,0xfd,0xd5,0xc8,0xec,0x15,0xd1,0x89,0x06,0x4d, + 0xef,0x75,0x6e,0x54,0x5d,0xb3,0x19,0xe0,0x07,0xc4,0x33,0xf0,0x46,0x8a,0x67,0x23, + 0x35,0x7b,0xa4,0x7d,0x15,0x6a,0xb7,0x65,0x2b,0x06,0xae,0x2b,0x18,0x87,0x4f,0x07, + 0x71,0xc6,0x26,0x46,0x6d,0xbd,0x64,0x23,0xe6,0xcb,0xc5,0x18,0xb5,0xe4,0xae,0x7b, + 0x8f,0x15,0xe0,0xf2,0xd0,0x47,0x1a,0x95,0x16,0xdf,0xa9,0x59,0x16,0x97,0xf7,0x42, + 0x86,0x23,0x24,0xd8,0xd1,0x03,0xfb,0x63,0x1d,0x6c,0x20,0x73,0xd4,0x06,0xb6,0x5c, + 0xde,0xe7,0xbd,0xa5,0x43,0xe2,0xe9,0xeb,0xff,0x99,0x06,0x98,0x5d,0x1c,0xb3,0x65, + 0x17,0x2e,0xa6,0x23,0xed,0x7a,0xa4,0xc7,0xa3,0x22,0xf0,0x98,0x46,0x80,0xe3,0x4e, + 0x99,0xbc,0x62,0x31,0xb0,0x2e,0x3d,0x14,0x58,0x16,0x08,0xbc,0x55,0xbc,0xa7,0xfb, + 0xe2,0x2d,0x7f,0x03,0xe9,0x04,0xda,0x45,0x52,0xe0,0x09,0xe5,0x60,0x7f,0x04,0x18), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x59,0x16,0x52,0xb6,0xeb,0x1b,0x52,0xc9,0xbe,0xbd,0x58,0x32,0x56,0xc2,0x22,0x86, + 0x80,0x11,0x0b,0x87,0x89,0x17,0xde,0xa5,0xad,0x69,0xe8,0xc5,0xd2,0xab,0x51,0x42, + 0x77,0xb0,0xac,0x31,0xe7,0xe2,0xcc,0xea,0xb2,0xe5,0xd9,0xc4,0x5d,0x77,0xa4,0x1f, + 0x59,0x9b,0x38,0xa8,0x32,0xf6,0xb2,0xd8,0x09,0x79,0x52,0xbe,0x44,0x40,0xd1,0xff, + 0x84,0xba,0xf5,0x1b,0xd7,0x0b,0x64,0xf1,0x30,0xae,0xb6,0x86,0x14,0x5f,0xcd,0x02, + 0x95,0x38,0x69,0xfb,0x84,0x1a,0xf7,0xf6,0xe3,0x4e,0xaa,0x2b,0x99,0x6c,0xcd,0x89, + 0x69,0x7c,0x58,0xfa,0x25,0x5c,0xc1,0xe8,0x1f,0x62,0x14,0x00,0xe1,0x41,0x46,0x36, + 0x1e,0x31,0xc7,0x09,0xe8,0x4a,0x56,0x08,0x22,0x31,0x19,0x95,0x39,0xf7,0xed,0xe9), + .s = chunk_from_chars( + 0x1d,0xe7,0x9d,0x72,0x16,0xdd,0xe1,0x25,0xde,0xb7,0x7c,0x34,0xd9,0x0a,0xb3,0x21, + 0xa4,0xde,0x5f,0xb1,0x1c,0x29,0x66,0x56,0xad,0x9b,0xf9,0xa2,0x46,0x53,0x59,0x11, + 0x17,0xac,0xe4,0x15,0xe1,0x8e,0xad,0xce,0x92,0x82,0x3f,0x31,0xaf,0xe5,0x6f,0xc8, + 0xe2,0x94,0x94,0xe3,0x7c,0xf2,0xba,0x85,0xab,0xc3,0xba,0xc6,0x6e,0x01,0x95,0x84, + 0x79,0x9a,0xee,0x23,0x4a,0xd5,0x55,0x9e,0x21,0xc7,0xfd,0x4f,0xfd,0x24,0xd8,0x26, + 0x49,0xf6,0x79,0xb4,0xc0,0x5d,0x8c,0x15,0xd3,0xd4,0x57,0x4a,0x2e,0x76,0xb1,0xf3, + 0xee,0x9f,0x8d,0xec,0x0a,0xf6,0x0b,0x0c,0xed,0x1b,0xe8,0xa1,0x9c,0x2f,0xa7,0x1b, + 0xcb,0xc1,0xfb,0x19,0x08,0x99,0xec,0x85,0x56,0x95,0x8e,0x07,0x82,0xac,0xe7,0x19, + 0x6b,0x36,0x65,0x86,0x56,0xcf,0x36,0x4d,0x37,0x73,0xde,0x86,0x26,0x0f,0xd8,0x98, + 0x76,0x04,0xef,0x35,0xea,0xe8,0xf3,0x8e,0xc2,0xcb,0x0d,0xa8,0x64,0xcc,0xa7,0x19, + 0x21,0x9c,0x2a,0xd7,0x1c,0x08,0x50,0x6c,0x41,0x2e,0xc7,0x79,0x95,0xf3,0x74,0x39, + 0xc8,0x56,0x97,0x7b,0x71,0xdf,0xb9,0x64,0x79,0x90,0xef,0x70,0xfa,0xf4,0x32,0x73, + 0xae,0x60,0x83,0x9c,0xd0,0x67,0x9e,0xc9,0xaa,0x42,0xbf,0x91,0x4e,0x42,0x1b,0x79, + 0x7c,0xba,0x21,0x8a,0x40,0x0f,0xf9,0xdb,0xaa,0x20,0x6c,0xb9,0xc2,0xb0,0x59,0x6c, + 0x70,0x9a,0x32,0x2b,0x73,0xcb,0x82,0x72,0x1d,0x79,0xf9,0xdb,0x24,0x21,0x1b,0xf0, + 0x75,0xa1,0xce,0xf7,0x4e,0x8f,0x6d,0x2b,0xa0,0x7f,0xe0,0xdc,0x8a,0x60,0xf4,0x8a, + 0xf5,0x11,0xad,0x46,0x9d,0xcd,0x06,0xe0,0x7a,0x4c,0xe6,0x80,0x72,0x13,0x9c,0x46, + 0xd8,0xbe,0x5e,0x72,0x12,0x53,0xc3,0xb1,0x8b,0x3c,0x94,0x48,0x5c,0xe5,0x5c,0x0e, + 0x7c,0x1c,0xbc,0x39,0xb7,0x7b,0xc6,0xbb,0x7e,0x5e,0x9f,0x42,0xb1,0x53,0x9e,0x44, + 0x2d,0xa8,0x57,0x65,0x8c,0x9e,0x77,0x1c,0xcb,0x86,0xbe,0x73,0x97,0x64,0x7e,0xfb, + 0xc0,0xcc,0xb2,0xc3,0xad,0x31,0xac,0x4e,0x32,0xbf,0x24,0x8c,0xc0,0xce,0xd3,0xa4, + 0xf0,0x94,0x52,0x6b,0x25,0x63,0x1c,0xb5,0x02,0x47,0x09,0x61,0x29,0xb0,0x8a,0x9c, + 0x2c,0xdf,0xb7,0x75,0x97,0x8b,0x0f,0xee,0xe2,0x65,0xa6,0xc4,0x19,0x91,0xc1,0xdc, + 0x44,0x52,0x61,0x5b,0x78,0xc9,0x06,0xc7,0xed,0x1b,0xd2,0x07,0x96,0x9d,0x98,0xd0), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x8d,0xff,0xaa,0x91,0x51,0x27,0x1a,0xd2,0x26,0x22,0xf2,0x28,0xc8,0x92,0xe1,0xd9, + 0x74,0x8b,0x3c,0x39,0x43,0x97,0xf2,0xcb,0xb6,0xfe,0xbe,0xaa,0x92,0x44,0xa0,0x27, + 0xee,0xf2,0x8d,0xb4,0x8a,0x9a,0x66,0x01,0x62,0x15,0x27,0x64,0x83,0x0f,0x61,0x7e, + 0x1e,0xc6,0xea,0x1c,0xdb,0x0e,0xd2,0x5b,0x6f,0x99,0x9a,0x10,0x71,0x75,0xa1,0x66, + 0x69,0xd6,0xdf,0xc9,0x2b,0x16,0xd5,0x03,0x63,0xfa,0xc4,0xa5,0x70,0x37,0x1e,0xa9, + 0x76,0x34,0x3a,0x55,0xae,0x12,0x4b,0x63,0x01,0xea,0x93,0x5e,0xd6,0x55,0xd4,0x4f, + 0x28,0x32,0x08,0x99,0xdb,0xa3,0x51,0x22,0x50,0x59,0x33,0xb3,0x37,0x12,0x01,0xa2, + 0xa4,0x5f,0x95,0xae,0x65,0xab,0x44,0x2a,0x94,0x79,0x12,0x5e,0x68,0xed,0x21,0x2a), + .s = chunk_from_chars( + 0xb3,0x29,0xae,0xf8,0x3a,0x56,0xdd,0xc5,0x7c,0xd9,0xa0,0xe1,0x5e,0xb0,0xb0,0xb7, + 0xae,0xa7,0xd7,0x8d,0x5e,0x8c,0xa3,0x98,0x2b,0xd3,0x1c,0xc8,0x25,0xa0,0xcd,0x1c, + 0x44,0x4d,0x9f,0x7b,0xea,0x9e,0x7a,0x27,0xf3,0xbb,0xb3,0x76,0x10,0x60,0xff,0x95, + 0xfe,0xe1,0xa3,0xe8,0x64,0xd2,0x10,0x8f,0xc4,0x0b,0x64,0x78,0x6a,0x96,0xa6,0xd6, + 0x2d,0x20,0x12,0x17,0xe0,0x3a,0x8b,0xa2,0xc0,0x7e,0xe9,0x4c,0x26,0x71,0x49,0xd1, + 0xe7,0x2c,0xc5,0x77,0x9b,0x73,0x7e,0x85,0x47,0xac,0xd6,0xaa,0x4b,0xba,0x3f,0xf3, + 0x8b,0xf9,0x68,0x7e,0x9e,0x82,0xf5,0x11,0xb5,0x97,0xad,0x7e,0xc1,0xd7,0x95,0xc3, + 0x6a,0x98,0xbf,0x83,0xa9,0x0f,0xc8,0x6b,0x0c,0xad,0x41,0x95,0x33,0x60,0x73,0x89, + 0x21,0x93,0x6a,0x45,0x86,0x74,0xb2,0xe9,0xa7,0x01,0x2a,0xc3,0x02,0x9f,0xdb,0x0a, + 0x9d,0x12,0x31,0x82,0x02,0xd2,0x54,0x4a,0x0d,0x97,0x6e,0xe5,0x36,0xe0,0x3b,0x7e, + 0x8d,0x89,0x4b,0x3b,0x9c,0x76,0x2d,0xab,0x01,0x10,0x84,0x9c,0xc1,0xea,0xad,0x74, + 0x7e,0x3d,0x88,0xd7,0xdc,0xf4,0x9f,0x82,0x4d,0xf0,0x27,0xe6,0x45,0xc0,0xb9,0x29, + 0x4e,0x65,0x5d,0x9f,0xc9,0xe1,0xef,0x95,0xeb,0x53,0xaa,0xff,0x57,0x75,0xc3,0x49, + 0x48,0x6d,0x4b,0x5d,0x67,0xdb,0xa2,0x9b,0x62,0x17,0xf8,0xb9,0x97,0x66,0x12,0xb5, + 0x7e,0x16,0xfc,0x1f,0x99,0x98,0x3f,0x2a,0xf0,0x45,0x79,0x93,0x86,0x06,0x87,0x9b, + 0x7c,0x72,0x53,0xe8,0x70,0x71,0x4b,0x4f,0x0f,0x24,0xe2,0x6d,0xc8,0xc7,0xa6,0xfc, + 0xef,0xfb,0x5f,0x98,0xe3,0xb2,0xfb,0x5d,0xb9,0x49,0xd2,0xf9,0x8c,0xd1,0xae,0x1a, + 0xa5,0x52,0x69,0x6b,0x48,0xc3,0x9f,0x67,0x8e,0x15,0x43,0x51,0xcc,0x75,0x6d,0x3e, + 0x9a,0x97,0xf7,0x92,0x79,0x85,0x3e,0xbd,0x0d,0xb9,0xae,0x68,0x59,0xfb,0x2d,0x57, + 0x21,0x38,0x5d,0x06,0xf5,0x56,0x5a,0x3a,0x8f,0xf0,0x99,0x2d,0x51,0x7a,0xcd,0xa1, + 0xaf,0x69,0xa9,0x28,0x54,0xa1,0xb3,0x2a,0x79,0xcb,0x9e,0x44,0x2a,0x90,0xb0,0x55, + 0xbb,0x2e,0xc3,0xaf,0x8d,0x99,0x26,0xa0,0xd8,0x57,0xe3,0xcb,0x1e,0x7e,0x4a,0x73, + 0x00,0xd1,0xac,0xcb,0x94,0x92,0xec,0x78,0x32,0xaf,0x45,0x35,0x29,0xff,0x0f,0x4a, + 0x6a,0xd3,0x25,0x97,0x57,0xf7,0x07,0xf7,0x13,0xaa,0xa5,0xdf,0x23,0x1f,0x74,0x87), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x71,0xd4,0x16,0x3e,0x70,0x8c,0x12,0x1e,0x93,0x1b,0xb9,0x69,0x2b,0x21,0x7d,0xdd, + 0xd3,0x5c,0x73,0x46,0xf6,0x1c,0xfc,0x95,0x91,0xf7,0xa4,0x31,0x3a,0xbd,0x4a,0x92, + 0x62,0xaf,0x82,0x0b,0xd7,0xeb,0x37,0xe7,0x8c,0x2b,0x95,0xb8,0x9d,0xaf,0x25,0xec, + 0x8e,0x78,0x3a,0xa1,0xd4,0xb7,0x8d,0xbb,0x96,0x85,0x24,0x33,0xb4,0xd4,0x78,0xb1, + 0x09,0xa6,0xd6,0x5e,0xed,0x7d,0x06,0xf3,0xfe,0x12,0x2b,0x17,0x21,0x49,0xea,0xe7, + 0xc3,0x65,0xce,0xd6,0x65,0x78,0xeb,0xb7,0x57,0x1e,0xc2,0x18,0xc3,0x6b,0x65,0xd2, + 0xee,0x22,0xdc,0xde,0xbb,0x28,0xc6,0x6a,0x71,0x38,0x43,0x2c,0xbd,0xd7,0x12,0xf7, + 0xfb,0x8b,0xf7,0x8c,0xb1,0x48,0x60,0xb2,0x5c,0x2b,0x47,0x89,0x70,0x6b,0x5a,0x1b), + .s = chunk_from_chars( + 0x25,0x22,0xee,0x3b,0xda,0x30,0xc0,0x43,0x4e,0x54,0xb1,0x99,0xda,0x8c,0x97,0x33, + 0x96,0x4f,0xd4,0x02,0xb7,0x07,0xf5,0xb3,0x30,0xf4,0xf7,0x54,0xa0,0x50,0x2c,0x7a, + 0x71,0x3c,0x78,0x14,0xf0,0xe8,0x51,0xa4,0xa4,0xdb,0x72,0x69,0x0d,0xb9,0x6e,0xa8, + 0xb8,0x81,0x3b,0xd8,0x62,0x9a,0x94,0x8b,0xb3,0x0c,0x1b,0x82,0x72,0xa8,0x16,0xb3, + 0x0a,0x75,0x5f,0xc6,0xfb,0x17,0x54,0x16,0x7c,0x3e,0xb1,0xf1,0x94,0x39,0x59,0x07, + 0xa5,0x6c,0xf5,0xa7,0x3b,0x41,0x54,0x38,0x3a,0x05,0xb7,0x8b,0x73,0x1f,0xed,0xd9, + 0x07,0x7f,0x3c,0x22,0x67,0xa5,0xcf,0x92,0x66,0x97,0x87,0x1f,0xe0,0xa4,0xbe,0xd9, + 0xc2,0x19,0x55,0x2d,0xd1,0xc8,0x7a,0xff,0x50,0x61,0x30,0x94,0xbc,0xaa,0x2d,0xec, + 0x42,0xa3,0x53,0x80,0xa6,0xba,0xc6,0x73,0xda,0x25,0x94,0xf8,0x24,0xa8,0xf3,0x2f, + 0x21,0xd7,0x59,0x3a,0x3e,0x49,0xc7,0x8e,0xe2,0x80,0x19,0x3a,0x47,0x86,0x21,0xd3, + 0xb0,0x95,0xc1,0x6d,0xce,0x72,0x93,0x53,0x14,0xd4,0xa2,0x32,0x3e,0xeb,0xe7,0x85, + 0x5c,0xa4,0x73,0x8a,0x19,0xb5,0xa3,0x1a,0x5f,0x95,0xab,0x91,0xfb,0xe1,0x28,0x9c, + 0x02,0xfe,0xa7,0xa6,0x5b,0x91,0x32,0x7b,0x7b,0x97,0x90,0x55,0x62,0x89,0xe1,0xb9, + 0x88,0xe4,0x5d,0x50,0xeb,0x8c,0xea,0x15,0x81,0xde,0x5d,0x5d,0xfd,0x21,0x00,0x1c, + 0x73,0xb4,0x39,0x21,0xd8,0xb2,0x1b,0x96,0x44,0xb0,0xf2,0xb9,0x6e,0xe6,0xb0,0x9d, + 0x73,0x70,0x9c,0x33,0x33,0x81,0x43,0xd6,0xa2,0xfe,0xc5,0x59,0xa4,0x36,0xc5,0xec, + 0x86,0x5d,0x3a,0xcc,0xa5,0xfe,0xe6,0x54,0xf1,0x32,0x5a,0xe5,0x72,0x55,0xdf,0xd4, + 0x21,0x88,0xc8,0x4d,0xcb,0x1f,0x7c,0x1e,0x86,0x02,0x8a,0x74,0xe3,0x1d,0x73,0x60, + 0x78,0x74,0x1e,0xe9,0x7c,0x39,0xa5,0x6e,0x4d,0xe0,0x0f,0xc1,0x2b,0x80,0x51,0x83, + 0x5b,0xbd,0x0d,0x8f,0xca,0xe7,0x37,0x32,0x20,0x99,0xad,0xc1,0x01,0x71,0x07,0x02, + 0x2d,0xd1,0x5c,0x11,0x4d,0xa5,0x7e,0x78,0xb9,0x56,0x81,0xba,0x99,0x45,0x61,0x5b, + 0x59,0xda,0x90,0xf5,0xa2,0xa9,0x9a,0x25,0x2e,0xb4,0x2b,0x20,0x06,0xee,0xdd,0x6e, + 0x78,0x47,0x6c,0x29,0x05,0x47,0x3e,0xe6,0xb4,0xf2,0x3c,0x1c,0x5c,0xf0,0xb8,0x04, + 0x51,0xc5,0x42,0x6e,0xa0,0x09,0x14,0x1c,0xb3,0xfc,0xb0,0xdf,0x2d,0xed,0x92,0xbe), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xd0,0x0e,0x15,0x29,0x22,0x8c,0x79,0xa2,0x0a,0x1c,0x36,0x68,0xff,0xa4,0xa5,0x41, + 0x40,0xbb,0x17,0x0b,0xc5,0xc6,0x69,0xfd,0x75,0x60,0xd9,0x30,0x99,0x00,0x17,0x5e, + 0x91,0xd5,0xa0,0xe9,0xc5,0xf5,0x47,0x1f,0xdf,0xb7,0x14,0xbc,0x38,0x5d,0x52,0xb0, + 0x8f,0xf7,0xe4,0x23,0x01,0x84,0xd8,0xb7,0x35,0x59,0x3f,0x0d,0xd8,0xc7,0x3b,0x8a, + 0x49,0xf8,0x59,0x5b,0x95,0x1a,0x21,0xb6,0xa5,0xbf,0xec,0x63,0xb6,0x84,0xf6,0x7c, + 0x0a,0xf1,0xb4,0x71,0xdd,0xa1,0x68,0x4e,0x9b,0xa3,0xf2,0x41,0x50,0x1f,0xe9,0x57, + 0x60,0x3d,0xea,0x86,0x78,0x42,0x30,0xf0,0xc4,0xfd,0x65,0x66,0x63,0x61,0xb8,0x2b, + 0x18,0x73,0x30,0xfb,0x42,0x67,0x40,0x4c,0x0e,0x05,0x9b,0xd4,0xeb,0x52,0x49,0x4b), + .s = chunk_from_chars( + 0x18,0x35,0xdd,0x97,0xe5,0x09,0x3a,0x33,0xce,0x1e,0x62,0xd6,0x83,0x86,0x3f,0x6b, + 0x35,0x07,0xf3,0x58,0xa6,0x2f,0xc8,0x79,0xb5,0x24,0x35,0x0f,0xbc,0x73,0x30,0x68, + 0x1c,0xb0,0xc6,0x82,0xee,0xf4,0x33,0x04,0x19,0xca,0xf8,0x54,0x3b,0xd9,0x26,0x9b, + 0x6d,0x91,0xd8,0xe1,0x07,0xec,0x38,0xb6,0xe9,0xc6,0xea,0xab,0xf9,0x06,0x45,0x72, + 0x05,0xd5,0x2a,0x90,0x0e,0x05,0x57,0x9a,0xa1,0x1f,0xc5,0x81,0x37,0x52,0x64,0xe6, + 0x9a,0x92,0x57,0x98,0xe5,0xa3,0x48,0xe5,0xa1,0x6f,0x15,0x67,0xd5,0xd0,0xe4,0x08, + 0x53,0x38,0x0b,0x34,0xde,0xac,0x93,0xad,0x73,0x77,0xaa,0xe8,0xa2,0x7b,0x09,0x0d, + 0x0d,0x3a,0x92,0xbf,0x7a,0x82,0x4d,0x92,0x6e,0x2e,0x35,0xa0,0xc3,0xbd,0x0e,0x99, + 0x0b,0x59,0x11,0x20,0xd7,0x4d,0xd9,0xb0,0x52,0xa7,0x35,0x68,0xe3,0xc3,0xf2,0x9c, + 0x5a,0x77,0xfb,0x1c,0x92,0x1b,0xce,0x9c,0x1e,0x7f,0x76,0x4a,0xa6,0x7b,0xac,0x11, + 0x9f,0x58,0x39,0xa5,0x30,0x38,0x60,0xed,0xeb,0x63,0x48,0x14,0xc2,0x38,0x6c,0x83, + 0x1f,0xee,0x62,0x00,0xcf,0x55,0xb6,0xbf,0xea,0x05,0x8b,0x79,0x5a,0x0f,0xcf,0x26, + 0xeb,0x72,0x16,0xae,0x1b,0x75,0x87,0xc8,0x2e,0x56,0x85,0xe5,0x84,0x17,0x0c,0xbd, + 0xdc,0x89,0xa7,0x7e,0x09,0x89,0xd4,0xce,0x5c,0x3c,0x7f,0xdb,0x66,0x4a,0xae,0xaa, + 0xdb,0xce,0x1f,0x23,0x1e,0x64,0x79,0x8f,0x6f,0x9a,0x85,0x45,0x6b,0x5a,0x93,0xa5, + 0x02,0x12,0x6a,0x80,0xe2,0xd2,0x1f,0x46,0x92,0x1c,0xc3,0x60,0x1f,0x5e,0xcd,0xbd, + 0x56,0x99,0x8a,0x63,0xb8,0x65,0xfc,0xe7,0xeb,0x29,0x9f,0x76,0xaf,0x40,0xe9,0x12, + 0x81,0xbf,0xc0,0x19,0xf4,0x0e,0x0d,0x46,0x81,0x1e,0x38,0x36,0x91,0xe4,0x02,0x4c, + 0x94,0x56,0x6f,0x18,0x02,0x4f,0xf2,0xb2,0x2a,0xa7,0xe1,0x27,0x02,0x33,0xff,0x16, + 0xe9,0x2f,0x89,0xc6,0x85,0x09,0xea,0x0b,0xe2,0xd3,0x45,0x11,0x58,0x1d,0x47,0x22, + 0x07,0xd1,0xb6,0x5f,0x7e,0xde,0x45,0x13,0x3d,0xe8,0x7a,0x5f,0xfb,0x92,0x62,0xc1, + 0xff,0x84,0x08,0x8f,0xf0,0x4c,0x01,0x83,0xf4,0x84,0x67,0x99,0x6a,0x94,0xd8,0x2b, + 0xa7,0x51,0x0c,0xb0,0xb3,0x6c,0xf2,0x54,0x82,0x09,0xa5,0x06,0x03,0x37,0x5c,0xb8, + 0x2e,0x67,0x8f,0x51,0x49,0x33,0x45,0xca,0x33,0xf9,0x34,0x5f,0xfd,0xf5,0x4b,0xe9), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa3,0x59,0x26,0x68,0x55,0x61,0xf0,0x9f,0x30,0x92,0x5e,0x94,0xd7,0x4e,0x56,0x61, + 0x89,0x2a,0x2d,0xdd,0x52,0x4f,0x75,0x1f,0x83,0x21,0x16,0x3d,0x61,0x1e,0xa1,0x59, + 0x1a,0x08,0xe0,0xdf,0xfd,0x46,0xb2,0x08,0xe9,0x88,0x15,0xa3,0x06,0xaa,0x85,0x14, + 0xb4,0xdb,0x85,0x9d,0xc1,0xfe,0x7b,0xdc,0xdf,0x50,0xc0,0x95,0x55,0x4b,0xf8,0xb2, + 0xf4,0xcb,0x9f,0x88,0x4d,0x70,0xe5,0x5c,0x21,0x43,0xbc,0x26,0x19,0x9c,0x2f,0x94, + 0xb7,0x43,0xf5,0x52,0x8d,0xd5,0x46,0x89,0xad,0x69,0xed,0xa6,0x60,0x74,0x9f,0x5c, + 0x1b,0xea,0x8b,0xec,0xae,0xa6,0x32,0xa4,0xbf,0x0c,0x79,0xa5,0x77,0xed,0xfc,0xea, + 0x7b,0xaa,0xa6,0x86,0x1e,0x9d,0x7f,0x2d,0xd5,0xb4,0xc4,0xf6,0xeb,0x5f,0x3d,0x5f), + .s = chunk_from_chars( + 0xb1,0xa9,0xc4,0x5a,0x26,0x4d,0x2c,0x9a,0xf4,0x41,0xa7,0xb2,0xd3,0x30,0xdd,0x78, + 0x80,0x89,0xcc,0xef,0x20,0x5d,0x5d,0x66,0x6b,0xfe,0x86,0x43,0x67,0xbe,0x97,0x38, + 0x12,0x4e,0x9d,0x74,0x64,0x8a,0xd9,0x91,0x60,0xbd,0x3a,0xf8,0x1a,0x81,0x85,0x8b, + 0xab,0xe6,0x67,0xa5,0xd9,0x5c,0x98,0x0f,0xe2,0xf6,0xac,0x34,0x86,0x1e,0xb2,0xec, + 0x9b,0x4b,0x4e,0x8b,0x64,0x2e,0xf3,0x82,0x0f,0x56,0xca,0x38,0x8a,0x55,0x65,0x30, + 0xd4,0x27,0x54,0xc4,0x72,0x12,0xe9,0xb2,0xf2,0x52,0x38,0xa1,0xef,0x5a,0xfe,0x29, + 0xbe,0x63,0x40,0x8c,0xf3,0x8c,0xaa,0x2d,0x23,0xa7,0x88,0x24,0xae,0x0b,0x92,0x59, + 0x75,0xd3,0xe9,0x83,0x55,0x8d,0xf6,0xd2,0xe9,0xb1,0xd3,0x4a,0x18,0xb1,0xd9,0x73, + 0xff,0xac,0xcc,0x74,0x5e,0x52,0x7c,0xe7,0x6c,0x66,0x3e,0x90,0x37,0x19,0x35,0x5e, + 0x45,0xcd,0x6d,0x11,0x8e,0xd0,0xb8,0x5b,0x70,0xcb,0xb8,0xe4,0x96,0x41,0x13,0x53, + 0xf8,0x4f,0x88,0x66,0xa0,0x1f,0xad,0xc8,0x19,0xca,0x0f,0xf9,0x5b,0xbe,0x2c,0xc6, + 0x8c,0x8c,0xf7,0x8d,0xa5,0x58,0x1b,0xec,0xc9,0x62,0x47,0xb9,0x11,0xd1,0x85,0xed, + 0x1f,0xae,0x36,0xc4,0xca,0xd2,0x62,0x08,0xeb,0x80,0x88,0x3f,0x42,0xa0,0x81,0x23, + 0xda,0xc6,0x8d,0x88,0xf2,0xf9,0x89,0x3c,0xde,0x02,0xef,0x5a,0x57,0x66,0x1d,0xb2, + 0xb3,0xe1,0xe9,0x26,0x9c,0xbb,0x0e,0x15,0xc4,0x07,0xbc,0xf5,0x5d,0x92,0xe6,0x79, + 0x38,0x3c,0x90,0x80,0x2c,0xd0,0xbf,0xfd,0x46,0x96,0x46,0xdc,0xb6,0x0c,0xa0,0x1a, + 0x1d,0xea,0xd4,0x32,0x28,0x93,0x40,0x18,0x39,0x1d,0xd8,0x1f,0x8b,0x7e,0x79,0x7e, + 0x52,0x7f,0xbe,0x18,0x15,0xb9,0x1b,0xf3,0xcd,0x6a,0x1f,0x2f,0xfb,0xf5,0xdd,0x16, + 0x6a,0xcd,0x55,0x26,0x76,0x1c,0xa8,0xba,0xb5,0xd4,0x63,0xfb,0x9f,0xb8,0x20,0x65, + 0x9f,0x5c,0xd5,0x0f,0x81,0x50,0xf1,0x2f,0x7e,0x8d,0x52,0xe7,0x77,0x73,0xc1,0xe6, + 0x48,0x0c,0x2c,0xc1,0x84,0xd4,0x11,0xd6,0x41,0xf7,0x1a,0x9d,0xed,0xc2,0xc5,0xfc, + 0x2e,0xc3,0x7a,0x27,0x70,0xa9,0x38,0x3b,0xfb,0xf6,0xa4,0x89,0xcf,0x32,0xb5,0x6a, + 0x12,0xcf,0x99,0x37,0x8e,0x39,0xb5,0x0b,0xda,0xdb,0x9f,0x05,0x91,0xb2,0x06,0x5f, + 0x9d,0x44,0xe5,0x11,0xc9,0xdf,0xb6,0x15,0x8f,0xdd,0xdd,0xd1,0xbc,0x2c,0xec,0xe6), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x12,0x71,0xa0,0xdd,0xb9,0x9a,0x0e,0x1e,0x9a,0x50,0x1c,0xa3,0x3c,0x13,0x1b,0x0a, + 0x1c,0x78,0x20,0xa3,0x97,0x79,0x08,0x69,0x09,0x0f,0xba,0x37,0x37,0x03,0xac,0x38, + 0xea,0x00,0xa9,0xa0,0xdd,0xee,0xd1,0x99,0xd9,0x7b,0xe1,0x80,0x1f,0xfa,0xb4,0x52, + 0x06,0x71,0x0a,0x61,0xe5,0xed,0x89,0x4c,0x33,0x19,0x01,0x2d,0xed,0x0f,0xf4,0x14, + 0x38,0x6e,0x56,0xb5,0x48,0xad,0x91,0x5d,0x80,0xaf,0xcc,0x2b,0xdb,0x97,0x6d,0x7c, + 0x8a,0xdd,0xdc,0xa7,0xdf,0xa2,0x8a,0xeb,0x69,0x40,0x33,0xa5,0x61,0x26,0x60,0xc6, + 0x44,0xe3,0x2f,0x85,0xc2,0x80,0x56,0x51,0xd7,0x13,0x66,0x0a,0x38,0x91,0x4d,0x70, + 0xf0,0xe4,0x1f,0xdc,0x4b,0x3d,0x16,0x2e,0xf3,0xac,0xd7,0x06,0x59,0xee,0xf6,0x37), + .s = chunk_from_chars( + 0xbf,0xfd,0x01,0x0b,0x2e,0xc4,0xe4,0xa3,0x27,0x77,0xb7,0x76,0x19,0xb8,0x76,0x22, + 0xf8,0x92,0x1d,0xab,0x56,0xe1,0x02,0xc8,0xd8,0x24,0xfe,0x52,0xb5,0xdf,0x7a,0x20, + 0x3f,0xe7,0x17,0x99,0xee,0xaf,0xdc,0xc0,0xc8,0x87,0x2d,0xba,0x6a,0x37,0x44,0x07, + 0xb5,0x63,0x9a,0xeb,0x5a,0x30,0xa9,0x04,0x71,0x2f,0x15,0x09,0x7d,0xba,0x0f,0x2d, + 0x62,0xe8,0x45,0x41,0x23,0x95,0xcf,0x09,0x54,0x0a,0xbd,0x6e,0x10,0xc1,0xa2,0xe2, + 0x3d,0xbf,0x2f,0xe1,0xdf,0xd2,0xb0,0x2a,0xf4,0xee,0xa4,0x75,0x15,0x95,0x7f,0xa3, + 0x73,0x8b,0x06,0x41,0x1a,0x55,0x1f,0x8f,0x8d,0xc4,0xb8,0x5e,0xa7,0xf5,0xa3,0xa1, + 0xe2,0x6c,0xcc,0x44,0x98,0xbd,0x64,0xaf,0x80,0x38,0xc1,0xda,0x5c,0xbd,0x8e,0x80, + 0xb3,0xcb,0xac,0xde,0xf1,0xa4,0x1e,0xc5,0xaf,0x20,0x55,0x66,0xc8,0xdd,0x80,0xb2, + 0xea,0xda,0xf9,0x7d,0xd0,0xaa,0x98,0x33,0xba,0x3f,0xd0,0xe4,0xb6,0x73,0xe2,0xf8, + 0x96,0x0b,0x04,0xed,0xa7,0x61,0x61,0x64,0x39,0x14,0x24,0x2b,0x96,0x1e,0x74,0xde, + 0xae,0x49,0x7c,0xaf,0x00,0x5b,0x00,0x51,0x5d,0x78,0x49,0x2e,0xc2,0xc2,0xde,0xb6, + 0x0a,0x57,0xb9,0xdc,0xe3,0x6e,0x68,0xdd,0x82,0x00,0x7d,0x94,0x2a,0xe7,0xc0,0x23, + 0xe1,0x21,0x0f,0x0b,0xe8,0xa3,0xeb,0x3f,0x00,0x48,0x24,0x07,0x4b,0x8f,0x72,0x5e, + 0xaf,0x8a,0xc7,0x73,0xe6,0x0f,0xbb,0xb7,0xcb,0xa9,0x63,0x0e,0x88,0xb6,0x9c,0x8b, + 0xcb,0x2d,0x74,0xdb,0xdb,0x29,0xbf,0xff,0x8b,0x22,0x54,0x5b,0x80,0xbb,0x63,0x4e, + 0x4c,0x05,0xf7,0x3e,0x00,0x2a,0x92,0x8e,0xfd,0x5a,0x6a,0xa4,0x56,0x21,0xce,0x1b, + 0x03,0x2a,0x22,0x44,0xde,0x48,0xf4,0xdf,0x43,0x58,0x15,0x66,0x78,0xcb,0xe0,0x39, + 0xc9,0xeb,0xe4,0xce,0xe9,0x45,0xa2,0x5b,0x90,0x38,0x46,0x9f,0xe0,0x0c,0x30,0x92, + 0x93,0x6a,0x8c,0xff,0x93,0x69,0x04,0x5f,0x90,0x67,0x33,0xa9,0xd2,0xab,0x36,0x60, + 0x18,0x20,0x69,0xb1,0x57,0xca,0x8f,0x9b,0x99,0xa7,0x1f,0xc1,0x53,0xc6,0x83,0x01, + 0xe9,0x7a,0x38,0xfc,0x3a,0x87,0xae,0x2b,0x6f,0x03,0x75,0x4e,0x6d,0xa8,0x2d,0x0b, + 0x07,0x26,0xe0,0x70,0x39,0x79,0xc9,0x32,0x02,0x89,0xfe,0xef,0xbc,0xdd,0xcd,0x9d, + 0x70,0x6b,0x71,0xb5,0x1e,0x9a,0x1b,0x9d,0xc1,0x41,0x2e,0x6e,0xd4,0xb5,0x66,0x76), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xf3,0x0c,0x78,0x3b,0x4e,0xae,0xb4,0x65,0x76,0x7f,0xa1,0xb9,0x6d,0x0a,0xf5,0x24, + 0x35,0xd8,0x5f,0xab,0x91,0x2b,0x6a,0xba,0x10,0xef,0xa5,0xb9,0x46,0xed,0x01,0xe1, + 0x5d,0x42,0x7a,0x4e,0xcd,0x0f,0xf9,0x55,0x67,0x73,0x79,0x17,0x98,0xb6,0x69,0x56, + 0xec,0xc7,0x52,0x88,0xd1,0xe9,0xba,0x2a,0x9e,0xa9,0x48,0x57,0xd3,0x13,0x29,0x99, + 0xa2,0x25,0xb1,0xff,0xaf,0x84,0x46,0x70,0x15,0x6e,0x7a,0x3e,0xa9,0xf0,0x77,0xfe, + 0x82,0x59,0xa0,0x98,0xb9,0xee,0x75,0x9a,0x6d,0xdf,0xb7,0xd2,0x0a,0x7a,0xcd,0x1b, + 0xcb,0x9f,0x67,0x77,0x7e,0x74,0x61,0x5e,0x88,0x59,0xea,0x56,0x28,0x1f,0xe5,0xc4, + 0x00,0x74,0x8f,0x02,0xd1,0xa2,0x63,0xb1,0x86,0x7a,0x3b,0x51,0x74,0x8a,0xb7,0x0f), + .s = chunk_from_chars( + 0x34,0x5e,0x2f,0x60,0xf7,0xc8,0x2c,0x89,0xef,0x7d,0xfd,0x7d,0xff,0x2b,0xc2,0x34, + 0x8b,0xab,0x02,0x04,0x79,0x33,0x08,0x99,0xd4,0x41,0x02,0x13,0xb3,0x5e,0x98,0xd9, + 0xba,0xc9,0x2f,0xd8,0xae,0x80,0x6b,0x5b,0xce,0x8a,0x6c,0x4b,0xd8,0x27,0x5b,0x0f, + 0xac,0xb4,0xdd,0x13,0xf9,0xd6,0x8b,0xa6,0x71,0x41,0xfa,0x50,0x85,0x26,0x4d,0xa6, + 0xdd,0x68,0x5a,0x6d,0x21,0x21,0x70,0xa2,0xc9,0xcb,0xf2,0xcf,0x59,0x30,0x18,0x0e, + 0xff,0xc2,0x50,0x86,0x8c,0x98,0x4b,0xf5,0x0f,0xf6,0x9d,0x60,0x69,0xea,0x28,0xf5, + 0xbc,0x1b,0x63,0x70,0x5d,0x07,0x32,0x41,0x6f,0xd8,0x29,0xa5,0xf5,0xd6,0x21,0x74, + 0x62,0xc2,0x2a,0x33,0xfd,0x46,0x52,0xf7,0xc1,0xd1,0x98,0x79,0x46,0x46,0xc0,0x84, + 0x06,0x02,0x4e,0x81,0x63,0xa7,0xeb,0xe3,0x9c,0xfb,0x51,0x4c,0x54,0x43,0x89,0x7b, + 0x58,0x94,0xdd,0x19,0xa2,0x13,0xe0,0x37,0xf2,0x7e,0x0f,0xfb,0xd6,0xc5,0x44,0x7a, + 0x80,0x5a,0x54,0xdf,0xdf,0x4f,0x65,0x81,0x9d,0x4e,0x0f,0xbe,0xe2,0x5e,0x3d,0xac, + 0x47,0xfb,0x6b,0x63,0x6e,0x8d,0xe6,0x19,0x0a,0xdc,0xcb,0xce,0xe9,0x37,0xd0,0x97, + 0x7b,0x35,0xb9,0x73,0x60,0x6b,0x0c,0xa3,0x48,0x75,0x8b,0x50,0xcd,0xbb,0xa0,0x28, + 0xb7,0x3d,0x0e,0xf0,0x1c,0x56,0x01,0x4c,0x03,0x1c,0x59,0x8f,0xe8,0xdb,0x87,0xd2, + 0xca,0x46,0x44,0x77,0x0a,0xaa,0x04,0x51,0xc3,0x76,0xde,0xd8,0x2f,0xf5,0xc6,0xb8, + 0xe7,0xd2,0xed,0x9d,0x1c,0x8a,0x17,0xc3,0x12,0x2c,0x12,0x82,0x73,0xc6,0x0f,0xd1, + 0xb0,0x08,0x8d,0xfb,0xc9,0xc9,0x27,0xf1,0x62,0xe4,0x38,0x79,0x40,0x59,0x64,0xcb, + 0x11,0xef,0x78,0x99,0x12,0x3f,0xeb,0x8f,0x88,0xdd,0x27,0x34,0xdf,0x98,0xaa,0x69, + 0x6d,0x93,0x6a,0x8d,0xf0,0x70,0x00,0xe8,0x4a,0xf9,0x01,0x01,0xf7,0x00,0x6a,0x9b, + 0xd2,0x54,0x9f,0xdd,0x0a,0xd3,0xf9,0xde,0x09,0x30,0x12,0xd3,0x2d,0x2a,0xfa,0xa8, + 0x28,0x01,0x7e,0xe9,0xc6,0x07,0xcb,0xf5,0xb5,0x4f,0x22,0x36,0x66,0xd4,0xb5,0xf3, + 0xe2,0x6e,0x0d,0xfe,0xc0,0x03,0x96,0x1b,0x83,0xd8,0x3d,0xe3,0x9f,0xf6,0xa0,0xe8, + 0x1e,0x18,0x83,0xc1,0xdb,0x4a,0xaa,0xf0,0x82,0xfe,0xc5,0xaa,0x30,0xa7,0xe5,0x78, + 0x55,0x3d,0x89,0x77,0x4c,0x67,0x90,0x77,0x90,0xc9,0x6d,0xc4,0xf5,0xbe,0x4c,0x8c), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x13,0x2c,0xf5,0x0c,0x66,0xac,0x4c,0xc5,0x43,0x39,0x75,0x1a,0x0e,0xbb,0x86,0x5e, + 0x1d,0x3d,0x32,0x05,0x62,0xfc,0x90,0x5c,0x4a,0xbd,0x1e,0x78,0xe4,0x64,0x06,0x6c, + 0x46,0xc3,0xa0,0xc0,0x2d,0xb0,0x37,0x1e,0xe3,0x5a,0x10,0x4d,0x66,0xdd,0xa8,0x64, + 0xc6,0x13,0x3e,0x37,0xcf,0xad,0x91,0x16,0xe8,0x83,0xeb,0xb7,0x3b,0x29,0x5e,0x70, + 0x16,0xc3,0x4e,0xa9,0x91,0x1a,0x30,0x92,0x72,0xef,0x90,0x11,0x4d,0x8f,0x59,0xff, + 0xf0,0xa7,0x51,0x93,0xfe,0x5a,0xe3,0x1e,0xd9,0x91,0x21,0xf9,0xc5,0x92,0x09,0xbc, + 0x4b,0xd5,0x07,0xb1,0xdc,0x12,0xbc,0x89,0xb7,0x9f,0xfe,0x4d,0x0d,0xf9,0x20,0x97, + 0x62,0xa1,0x73,0x01,0x36,0x29,0x0c,0xde,0xe5,0x8e,0xc8,0x28,0xcc,0xc8,0x8e,0xba), + .s = chunk_from_chars( + 0xb1,0x25,0x03,0xb7,0xb2,0xf7,0x83,0x61,0x88,0x84,0x17,0x4b,0xcb,0x9b,0xe1,0x08, + 0x77,0x96,0x04,0x31,0xed,0x63,0x63,0xc8,0x07,0xe1,0x2d,0xb7,0x1b,0x8b,0x6b,0xd9, + 0xd6,0x40,0x1d,0x06,0x4e,0x25,0x37,0x40,0x15,0x8e,0x8b,0x90,0x01,0x52,0xd3,0x7f, + 0xaf,0x20,0x33,0x3a,0x7d,0x80,0xb3,0xd4,0x7c,0x7c,0x7a,0x3f,0xa1,0x20,0x91,0xce, + 0x31,0xcd,0x8a,0xae,0x27,0x2a,0x4d,0xa1,0x5f,0xe2,0xcb,0x5c,0xfd,0xea,0x54,0x11, + 0x95,0xa4,0x69,0xc9,0x6b,0xcf,0x69,0x5e,0x0b,0x52,0x6d,0xfa,0x48,0xa5,0x90,0x03, + 0xc6,0x76,0x3a,0xf8,0x13,0x63,0x92,0xc4,0xb8,0xd2,0x4d,0xb3,0x14,0x74,0x6f,0x42, + 0xac,0xa5,0x50,0xac,0xc6,0x5e,0x07,0x49,0x13,0xab,0x82,0x23,0x2e,0xb8,0x59,0x35, + 0x09,0x15,0x8a,0x8b,0xa3,0x4b,0xc0,0xf0,0xe3,0x12,0x5a,0x83,0x4a,0x3e,0xd2,0xd6, + 0xa8,0xcb,0x1d,0x08,0x5f,0x23,0x4a,0xe8,0x68,0xb8,0x6a,0xea,0x8d,0x6f,0x82,0xe1, + 0x3a,0x08,0x84,0x24,0x85,0x06,0x6e,0x48,0xaa,0xe4,0x83,0x78,0x73,0x15,0x0f,0x44, + 0x47,0x5e,0x12,0x60,0x2b,0x55,0x2d,0xcb,0x34,0xd1,0xf9,0xfd,0xaa,0xdb,0xc6,0xbf, + 0xf5,0x13,0x4c,0x6f,0xc7,0x62,0x63,0x88,0x8b,0xe6,0x7e,0xfe,0x63,0xee,0x18,0x40, + 0xfa,0x08,0xc4,0x99,0x38,0x85,0x8a,0x9d,0x48,0xb1,0x05,0x8d,0x18,0x97,0x6b,0xf2, + 0xe3,0xbf,0xc6,0x25,0x55,0x2f,0x75,0xb3,0xea,0x44,0xeb,0x91,0xdd,0x36,0x68,0x65, + 0xf2,0x40,0xa0,0xc3,0x36,0xa0,0x11,0x0e,0x0f,0xa0,0x9d,0x09,0xcd,0x94,0xc7,0x0c, + 0xbc,0x88,0x95,0xae,0x3d,0x44,0xae,0x3d,0xff,0x54,0x5f,0x0e,0x8c,0x8c,0xc6,0x62, + 0xec,0xd4,0x0f,0x90,0x99,0xa9,0x52,0x49,0x43,0x96,0xc6,0xb4,0x23,0xeb,0xb4,0x63, + 0x40,0x99,0x69,0x28,0x1c,0xdd,0x54,0xad,0x87,0xa3,0x08,0xe4,0x87,0xce,0x19,0x74, + 0x5b,0x30,0xd5,0xda,0x76,0xb9,0x8d,0x2a,0xa9,0xa0,0x07,0xa5,0x57,0x83,0xb3,0x03, + 0x7e,0x5b,0x86,0x62,0x32,0x28,0x10,0xbd,0xd1,0x1d,0x86,0xdc,0x3f,0x61,0x45,0x11, + 0x49,0x39,0x1f,0xb2,0xf1,0x4e,0xd9,0xc1,0x7c,0x75,0x16,0x23,0xa4,0x04,0x2c,0xe7, + 0xed,0xb8,0x75,0xee,0x27,0xbc,0xd1,0xf1,0x9d,0x6d,0xc9,0x28,0x3a,0xd0,0x6d,0x15, + 0xe0,0x97,0xe2,0xb0,0xb1,0x5a,0x7e,0xb7,0x12,0x8a,0xdb,0xca,0x0a,0xa6,0xad,0xcc), + }, +}; + +START_TEST(test_sign_pkcs15_3072) +{ + signature_scheme_t scheme = pkcs15_3072[_i].scheme; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + fail_unless(privkey_3072->sign(privkey_3072, scheme, NULL, pkcs15_3072[_i].m, &sig), + "sign %N", signature_scheme_names, scheme); + ck_assert_chunk_eq(pkcs15_3072[_i].s, sig); + fail_unless(pubkey_3072->verify(pubkey_3072, scheme, NULL, pkcs15_3072[_i].m, sig), + "verify %N", signature_scheme_names, scheme); + free(sig.ptr); +} +END_TEST + +/** + * Keys for the FIPS 186-4 SigGen RSASSA-PSS test vectors + */ +static private_key_t *privpss_2048, *privpss_3072; +static public_key_t *pubpss_2048, *pubpss_3072; +static bool pss_salt_supported; + +static void pss_salt_test() +{ + chunk_t sig_salt = chunk_from_chars( + 0x3c,0x34,0xa4,0x56,0xdb,0x84,0x7b,0x7b,0xbb,0xbb,0xb0,0x15,0x5c,0xe2,0xe2,0x26, + 0xde,0xa9,0x27,0xb8,0x71,0x1b,0x28,0x0d,0xe3,0xe4,0xc2,0x6b,0x44,0x39,0xae,0x78, + 0x3a,0x93,0x68,0x6c,0xa0,0x91,0x19,0xd3,0x15,0x3b,0x93,0x15,0x92,0x13,0xaa,0x22, + 0x76,0x18,0xfd,0xbf,0x53,0x7f,0x2c,0xa7,0x24,0x5d,0xfa,0x93,0x78,0xff,0xdf,0x25, + 0x25,0x6c,0x65,0x2d,0xc1,0x6c,0xfd,0x43,0x87,0x3c,0x83,0x5b,0xe0,0x76,0xaf,0x99, + 0xa7,0xe4,0x11,0x3d,0xa6,0xa7,0xa4,0x50,0x0c,0xb8,0x4b,0x9b,0xd7,0x29,0xa6,0x6c, + 0x39,0x15,0xef,0xd9,0x46,0x5d,0x64,0x7e,0xf9,0x90,0x4a,0x7e,0x53,0xeb,0xfd,0x2f, + 0x32,0xdc,0x38,0xdf,0x3d,0xef,0xf7,0xa5,0x87,0xf0,0x5c,0x33,0x78,0x61,0x40,0x36, + 0x8d,0x16,0x14,0xf3,0xeb,0xfb,0x58,0x99,0x06,0xe9,0x48,0x67,0x93,0xe7,0x84,0x3c, + 0x6c,0x4a,0x3c,0x7e,0x0b,0xcc,0x62,0xcf,0xdb,0x7b,0x85,0xff,0x6c,0x3d,0x9f,0x7c, + 0x22,0x9e,0x0a,0x83,0x0b,0x3a,0x6a,0xe9,0xc2,0xbe,0x2f,0xd2,0xab,0x66,0xcb,0x1a, + 0x52,0x27,0x71,0x72,0x46,0xbf,0xed,0x8d,0xaa,0x47,0xaf,0x88,0x3a,0xf2,0xc2,0x6d, + 0xf4,0x24,0x01,0x4c,0x21,0xa1,0x40,0x63,0x93,0xeb,0xd9,0x56,0xf5,0xd2,0x74,0xe6, + 0x16,0x94,0x89,0x74,0x31,0x71,0xba,0xbd,0x6a,0x89,0x4a,0x52,0x9a,0x79,0x07,0x68, + 0x34,0x24,0x54,0xfd,0x21,0x54,0x7d,0xbe,0x3a,0x46,0xa6,0x28,0xa5,0xbc,0xea,0x30, + 0xb6,0x85,0xda,0x7e,0x45,0x24,0xc9,0xba,0x5f,0x0d,0xee,0xea,0x1b,0x54,0x67,0xc6); + chunk_t sig_zero = chunk_from_chars( + 0xb0,0x7e,0x08,0xf4,0xb7,0x02,0xf7,0x91,0x7a,0x81,0x65,0xc3,0x87,0x39,0xe7,0x67, + 0xfa,0x28,0x4d,0xe5,0x65,0xe3,0x95,0x94,0xfd,0x30,0x1d,0x94,0x98,0x81,0xce,0x0c, + 0x0e,0x8d,0x40,0xc1,0x37,0x43,0x9b,0xbd,0x81,0x0e,0x19,0x8c,0xee,0xd8,0xd9,0x7a, + 0x95,0x96,0x76,0x57,0x0b,0x86,0xc5,0x69,0xe9,0x4d,0x9a,0x82,0x80,0xd5,0xf7,0x95, + 0x15,0x7c,0xfc,0x82,0xe6,0x0a,0x1a,0x13,0x84,0xb3,0xbc,0xe6,0xe3,0xc0,0xd4,0x84, + 0xcf,0xd4,0xdd,0xbd,0x5a,0x53,0x49,0x1f,0x72,0x47,0xbf,0x93,0x59,0xf4,0xf2,0xfb, + 0xcf,0xf8,0x42,0xb6,0xdb,0xb4,0xfb,0xea,0xa6,0x2e,0xdc,0xb5,0x3c,0x41,0x73,0xaa, + 0xba,0x0a,0xb3,0x7b,0x23,0x03,0x0a,0x71,0x7f,0x49,0xba,0x17,0xaa,0x35,0x15,0xeb, + 0xd0,0xea,0xae,0xb2,0x7a,0xf2,0xed,0x58,0x74,0xb0,0xe5,0xa8,0x1e,0x59,0x10,0x88, + 0xe6,0xe6,0xf7,0xc6,0x41,0x78,0xf5,0x88,0x35,0x03,0xf9,0x82,0x42,0xb5,0x42,0x43, + 0xc6,0x4f,0xeb,0xbf,0xa0,0x3b,0xef,0x61,0x35,0x80,0x2c,0xcb,0x3f,0x3a,0x3e,0x3d, + 0x7a,0x75,0x5e,0x0b,0xdb,0xc8,0xdf,0xc1,0x2f,0x73,0x55,0xec,0x2b,0x20,0xd0,0xf3, + 0xa3,0x8a,0xaf,0x3a,0xb3,0xe5,0xad,0xa2,0x9c,0x4f,0x6b,0x64,0x6b,0xb0,0x54,0x38, + 0x96,0xaa,0xb6,0x9c,0x8b,0xe9,0x7d,0x41,0xa5,0x0a,0xde,0x24,0x4d,0x5a,0x37,0xe6, + 0xe3,0xbd,0xbb,0x1c,0x00,0x8a,0x22,0xd5,0x51,0x70,0x18,0xaf,0x13,0x05,0x6e,0x32, + 0xf7,0xef,0xc3,0xe5,0x4b,0x6f,0x94,0xa0,0x59,0xa8,0xf8,0x7f,0x42,0x08,0x3b,0x51); + chunk_t sig; + rsa_pss_params_t params = { + .hash = HASH_SHA256, + .mgf1_hash = HASH_SHA256, + .salt = chunk_from_chars(0x01,0x02,0x03,0x04), + }; + + pss_salt_supported = FALSE; + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + return; + } + /* we should get one of two signatures, either one without a salt or + * one with the configured salt */ + fail_unless(privpss_2048->sign(privpss_2048, SIGN_RSA_EMSA_PSS, + ¶ms, chunk_from_chars(0x04,0x03,0x02,0x01), &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + + if (chunk_equals(sig, sig_salt)) + { /* matches signature with passed salt */ + pss_salt_supported = TRUE; + } + else if (!chunk_equals(sig, sig_zero)) + { /* does not match signature without salt */ + fail("unexpected signature received: %B", &sig); + } + free(sig.ptr); +} + +START_SETUP(setup_keys_pss) +{ + create_key(chunk_from_chars( + 0xc5,0x06,0x2b,0x58,0xd8,0x53,0x9c,0x76,0x5e,0x1e,0x5d,0xba,0xf1,0x4c,0xf7,0x5d, + 0xd5,0x6c,0x2e,0x13,0x10,0x5f,0xec,0xfd,0x1a,0x93,0x0b,0xbb,0x59,0x48,0xff,0x32, + 0x8f,0x12,0x6a,0xbe,0x77,0x93,0x59,0xca,0x59,0xbc,0xa7,0x52,0xc3,0x08,0xd2,0x81, + 0x57,0x3b,0xc6,0x17,0x8b,0x6c,0x0f,0xef,0x7d,0xc4,0x45,0xe4,0xf8,0x26,0x43,0x04, + 0x37,0xb9,0xf9,0xd7,0x90,0x58,0x1d,0xe5,0x74,0x9c,0x2c,0xb9,0xcb,0x26,0xd4,0x2b, + 0x2f,0xee,0x15,0xb6,0xb2,0x6f,0x09,0xc9,0x96,0x70,0x33,0x64,0x23,0xb8,0x6b,0xc5, + 0xbe,0xc7,0x11,0x13,0x15,0x7b,0xe2,0xd9,0x44,0xd7,0xff,0x3e,0xeb,0xff,0xb2,0x84, + 0x13,0x14,0x3e,0xa3,0x67,0x55,0xdb,0x0a,0xe6,0x2f,0xf5,0xb7,0x24,0xee,0xcb,0x3d, + 0x31,0x6b,0x6b,0xac,0x67,0xe8,0x9c,0xac,0xd8,0x17,0x19,0x37,0xe2,0xab,0x19,0xbd, + 0x35,0x3a,0x89,0xac,0xea,0x8c,0x36,0xf8,0x1c,0x89,0xa6,0x20,0xd5,0xfd,0x2e,0xff, + 0xea,0x89,0x66,0x01,0xc7,0xf9,0xda,0xca,0x7f,0x03,0x3f,0x63,0x5a,0x3a,0x94,0x33, + 0x31,0xd1,0xb1,0xb4,0xf5,0x28,0x87,0x90,0xb5,0x3a,0xf3,0x52,0xf1,0x12,0x1c,0xa1, + 0xbe,0xf2,0x05,0xf4,0x0d,0xc0,0x12,0xc4,0x12,0xb4,0x0b,0xdd,0x27,0x58,0x5b,0x94, + 0x64,0x66,0xd7,0x5f,0x7e,0xe0,0xa7,0xf9,0xd5,0x49,0xb4,0xbe,0xce,0x6f,0x43,0xac, + 0x3e,0xe6,0x5f,0xe7,0xfd,0x37,0x12,0x33,0x59,0xd9,0xf1,0xa8,0x50,0xad,0x45,0x0a, + 0xaf,0x5c,0x94,0xeb,0x11,0xde,0xa3,0xfc,0x0f,0xc6,0xe9,0x85,0x6b,0x18,0x05,0xef), + chunk_from_chars( + 0x86,0xc9,0x4f), + chunk_from_chars( + 0x49,0xe5,0x78,0x6b,0xb4,0xd3,0x32,0xf9,0x45,0x86,0x32,0x7b,0xde,0x08,0x88,0x75, + 0x37,0x9b,0x75,0xd1,0x28,0x48,0x8f,0x08,0xe5,0x74,0xab,0x47,0x15,0x30,0x2a,0x87, + 0xee,0xa5,0x2d,0x4c,0x4a,0x23,0xd8,0xb9,0x7a,0xf7,0x94,0x48,0x04,0x33,0x7c,0x5f, + 0x55,0xe1,0x6b,0xa9,0xff,0xaf,0xc0,0xc9,0xfd,0x9b,0x88,0xec,0xa4,0x43,0xf3,0x9b, + 0x79,0x67,0x17,0x0d,0xdb,0x8c,0xe7,0xdd,0xb9,0x3c,0x60,0x87,0xc8,0x06,0x6c,0x4a, + 0x95,0x53,0x8a,0x44,0x1b,0x9d,0xc8,0x0d,0xc9,0xf7,0x81,0x00,0x54,0xfd,0x1e,0x5c, + 0x9d,0x02,0x50,0xc9,0x78,0xbb,0x2d,0x74,0x8a,0xbe,0x1e,0x94,0x65,0xd7,0x1a,0x81, + 0x65,0xd3,0x12,0x6d,0xce,0x5d,0xb2,0xad,0xac,0xc0,0x03,0xe9,0x06,0x2b,0xa3,0x7a, + 0x54,0xb6,0x3e,0x5f,0x49,0xa4,0xea,0xfe,0xbd,0x7e,0x4b,0xf5,0xb0,0xa7,0x96,0xc2, + 0xb3,0xa9,0x50,0xfa,0x09,0xc7,0x98,0xd3,0xfa,0x3e,0x86,0xc4,0xb6,0x2c,0x33,0xba, + 0x93,0x65,0xed,0xa0,0x54,0xe5,0xfe,0x74,0xa4,0x1f,0x21,0xb5,0x95,0x02,0x6a,0xcf, + 0x10,0x93,0xc9,0x0a,0x8c,0x71,0x72,0x2f,0x91,0xaf,0x1e,0xd2,0x9a,0x41,0xa2,0x44, + 0x9a,0x32,0x0f,0xc7,0xba,0x31,0x20,0xe3,0xe8,0xc3,0xe4,0x24,0x0c,0x04,0x92,0x5c, + 0xc6,0x98,0xec,0xd6,0x6c,0x7c,0x90,0x6b,0xdf,0x24,0x0a,0xda,0xd9,0x72,0xb4,0xdf, + 0xf4,0x86,0x9d,0x40,0x0b,0x5d,0x13,0xe3,0x3e,0xeb,0xa3,0x8e,0x07,0x5e,0x87,0x2b, + 0x0e,0xd3,0xe9,0x1c,0xc9,0xc2,0x83,0x86,0x7a,0x4f,0xfc,0x39,0x01,0xd2,0x06,0x9f), + &privpss_2048, &pubpss_2048); + + create_key(chunk_from_chars( + 0xa7,0xa1,0x88,0x2a,0x7f,0xb8,0x96,0x78,0x60,0x34,0xd0,0x7f,0xb1,0xb9,0xf6,0x32, + 0x7c,0x27,0xbd,0xd7,0xce,0x6f,0xe3,0x9c,0x28,0x5a,0xe3,0xb6,0xc3,0x42,0x59,0xad, + 0xc0,0xdc,0x4f,0x7b,0x9c,0x7d,0xec,0x3c,0xa4,0xa2,0x0d,0x34,0x07,0x33,0x9e,0xed, + 0xd7,0xa1,0x2a,0x42,0x1d,0xa1,0x8f,0x59,0x54,0x67,0x3c,0xac,0x2f,0xf0,0x59,0x15, + 0x6e,0xcc,0x73,0xc6,0x86,0x1e,0xc7,0x61,0xe6,0xa0,0xf2,0xa5,0xa0,0x33,0xa6,0x76, + 0x8c,0x6a,0x42,0xd8,0xb4,0x59,0xe1,0xb4,0x93,0x23,0x49,0xe8,0x4e,0xfd,0x92,0xdf, + 0x59,0xb4,0x59,0x35,0xf3,0xd0,0xe3,0x08,0x17,0xc6,0x62,0x01,0xaa,0x99,0xd0,0x7a, + 0xe3,0x6c,0x5d,0x74,0xf4,0x08,0xd6,0x9c,0xc0,0x8f,0x04,0x41,0x51,0xff,0x49,0x60, + 0xe5,0x31,0x36,0x0c,0xb1,0x90,0x77,0x83,0x3a,0xdf,0x7b,0xce,0x77,0xec,0xfa,0xa1, + 0x33,0xc0,0xcc,0xc6,0x3c,0x93,0xb8,0x56,0x81,0x45,0x69,0xe0,0xb9,0x88,0x4e,0xe5, + 0x54,0x06,0x1b,0x9a,0x20,0xab,0x46,0xc3,0x82,0x63,0xc0,0x94,0xda,0xe7,0x91,0xaa, + 0x61,0xa1,0x7f,0x8d,0x16,0xf0,0xe8,0x5b,0x7e,0x5c,0xe3,0xb0,0x67,0xec,0xe8,0x9e, + 0x20,0xbc,0x4e,0x8f,0x1a,0xe8,0x14,0xb2,0x76,0xd2,0x34,0xe0,0x4f,0x4e,0x76,0x6f, + 0x50,0x1d,0xa7,0x4e,0xa7,0xe3,0x81,0x7c,0x24,0xea,0x35,0xd0,0x16,0x67,0x6c,0xec, + 0xe6,0x52,0xb8,0x23,0xb0,0x51,0x62,0x55,0x73,0xca,0x92,0x75,0x7f,0xc7,0x20,0xd2, + 0x54,0xec,0xf1,0xdc,0xbb,0xfd,0x21,0xd9,0x83,0x07,0x56,0x1e,0xca,0xab,0x54,0x54, + 0x80,0xc7,0xc5,0x2a,0xd7,0xe9,0xfa,0x6b,0x59,0x7f,0x5f,0xe5,0x50,0x55,0x9c,0x2f, + 0xe9,0x23,0x20,0x5a,0xc1,0x76,0x1a,0x99,0x73,0x7c,0xa0,0x2d,0x7b,0x19,0x82,0x2e, + 0x00,0x8a,0x89,0x69,0x34,0x9c,0x87,0xfb,0x87,0x4c,0x81,0x62,0x0e,0x38,0xf6,0x13, + 0xc8,0x52,0x1f,0x03,0x81,0xfe,0x5b,0xa5,0x5b,0x74,0x82,0x7d,0xad,0x3e,0x1c,0xf2, + 0xaa,0x29,0xc6,0x93,0x36,0x29,0xf2,0xb2,0x86,0xad,0x11,0xbe,0x88,0xfa,0x64,0x36, + 0xe7,0xe3,0xf6,0x4a,0x75,0xe3,0x59,0x52,0x90,0xdc,0x0d,0x1c,0xd5,0xee,0xe7,0xaa, + 0xac,0x54,0x95,0x9c,0xc5,0x3b,0xd5,0xa9,0x34,0xa3,0x65,0xe7,0x2d,0xd8,0x1a,0x2b, + 0xd4,0xfb,0x9a,0x67,0x82,0x1b,0xff,0xed,0xf2,0xef,0x2b,0xd9,0x49,0x13,0xde,0x8b), + chunk_from_chars( + 0x14,0x15,0xa7), + chunk_from_chars( + 0x07,0x3a,0x5f,0xc4,0xcd,0x64,0x2f,0x61,0x13,0xdf,0xfc,0x4f,0x84,0x03,0x5c,0xee, + 0x3a,0x2b,0x8a,0xcc,0x54,0x97,0x03,0x75,0x1a,0x1d,0x6a,0x5e,0xaa,0x13,0x48,0x72, + 0x29,0xa5,0x8e,0xf7,0xd7,0xa5,0x22,0xbb,0x9f,0x4f,0x25,0x51,0x0f,0x1a,0xa0,0xf7, + 0x4c,0x6a,0x8f,0xc8,0xa5,0xc5,0xbe,0x8b,0x91,0xa6,0x74,0xed,0xe5,0x0e,0x92,0xf7, + 0xe3,0x4a,0x90,0xa3,0xc9,0xda,0x99,0x9f,0xff,0xb1,0xd6,0x95,0xe4,0x58,0x8f,0x45, + 0x12,0x56,0xc1,0x63,0x48,0x4c,0x15,0x13,0x50,0xcb,0x9c,0x78,0x25,0xa7,0xd9,0x10, + 0x84,0x5e,0xe5,0xcf,0x82,0x6f,0xec,0xf9,0xa7,0xc0,0xfb,0xbb,0xba,0x22,0xbb,0x4a, + 0x53,0x1c,0x13,0x1d,0x2e,0x77,0x61,0xba,0x89,0x8f,0x00,0x2e,0xbe,0xf8,0xab,0x87, + 0x21,0x85,0x11,0xf8,0x1d,0x32,0x66,0xe1,0xec,0x07,0xa7,0xca,0x86,0x22,0x51,0x4c, + 0x6d,0xfd,0xc8,0x6c,0x67,0x67,0x9a,0x2c,0x8f,0x5f,0x03,0x1d,0xe9,0xa0,0xc2,0x2b, + 0x5a,0x88,0x06,0x0b,0x46,0xee,0x0c,0x64,0xd3,0xb9,0xaf,0x3c,0x0a,0x37,0x9b,0xcd, + 0x9c,0x6a,0x1b,0x51,0xcf,0x64,0x80,0x45,0x6d,0x3f,0xd6,0xde,0xf9,0x4c,0xd2,0xa6, + 0xc1,0x71,0xdd,0x3f,0x01,0x0e,0x3c,0x9d,0x66,0x2b,0xc8,0x57,0x20,0x82,0x48,0xc9, + 0x4e,0xbc,0xb9,0xfd,0x99,0x7b,0x9f,0xf4,0xa7,0xe5,0xfd,0x95,0x55,0x85,0x69,0x90, + 0x65,0x25,0xe7,0x41,0xd7,0x83,0x44,0xf6,0xf6,0xcf,0xdb,0xd5,0x9d,0x4f,0xaa,0x52, + 0xee,0x3f,0xa9,0x64,0xfb,0x7c,0xcc,0xb2,0xd6,0xbe,0x19,0x35,0xd2,0x11,0xfe,0x14, + 0x98,0x21,0x77,0x16,0x27,0x39,0x39,0xa9,0x46,0x08,0x1f,0xd8,0x50,0x99,0x13,0xfd, + 0x47,0x74,0x7c,0x5c,0x2f,0x03,0xef,0xd4,0xd6,0xfc,0x9c,0x6f,0xcf,0xd8,0x40,0x2e, + 0x9f,0x40,0xa0,0xa5,0xb3,0xde,0x3c,0xa2,0xb3,0xc0,0xfa,0xc9,0x45,0x69,0x38,0xfa, + 0xa6,0xcf,0x2c,0x20,0xe3,0x91,0x2e,0x59,0x81,0xc9,0x87,0x6d,0x8c,0xa1,0xff,0x29, + 0xb8,0x7a,0x15,0xee,0xae,0x0c,0xcc,0xe3,0xf8,0xa8,0xf1,0xe4,0x05,0x09,0x1c,0x08, + 0x3b,0x98,0xbc,0xc5,0xfe,0x0d,0x0d,0xea,0xae,0x33,0xc6,0x7c,0x03,0x94,0x43,0x7f, + 0x0e,0xcc,0xb3,0x85,0xb7,0xef,0xb1,0x7a,0xee,0xbb,0xa8,0xaf,0xae,0xcc,0xa3,0x0a, + 0x2f,0x63,0xea,0xc8,0xf0,0xac,0x8f,0x1e,0xac,0xad,0x85,0xbb,0xca,0xf3,0x96,0x0b), + &privpss_3072, &pubpss_3072); + + pss_salt_test(); +} +END_SETUP + +START_TEARDOWN(teardown_keys_pss) +{ + pubpss_2048->destroy(pubpss_2048); + privpss_2048->destroy(privpss_2048); + pubpss_3072->destroy(pubpss_3072); + privpss_3072->destroy(privpss_3072); +} +END_TEARDOWN + +/** + * SigGen test vectors from FIPS 186-4 (first two for each hash algo) + */ +static struct { + rsa_pss_params_t params; + chunk_t m; + chunk_t s; +} pss_sign_2048[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 20, + .salt = chunk_from_chars( + 0xe1,0x25,0x6f,0xc1,0xee,0xef,0x81,0x77,0x3f,0xdd,0x54,0x65,0x7e,0x40,0x07,0xfd, + 0xe6,0xbc,0xb9,0xb1), + }, + .m = chunk_from_chars( + 0xdf,0xc2,0x26,0x04,0xb9,0x5d,0x15,0x32,0x80,0x59,0x74,0x5c,0x6c,0x98,0xeb,0x9d, + 0xfb,0x34,0x7c,0xf9,0xf1,0x70,0xaf,0xf1,0x9d,0xee,0xec,0x55,0x5f,0x22,0x28,0x5a, + 0x67,0x06,0xc4,0xec,0xbf,0x0f,0xb1,0x45,0x8c,0x60,0xd9,0xbf,0x91,0x3f,0xba,0xe6, + 0xf4,0xc5,0x54,0xd2,0x45,0xd9,0x46,0xb4,0xbc,0x5f,0x34,0xae,0xc2,0xac,0x6b,0xe8, + 0xb3,0x3d,0xc8,0xe0,0xe3,0xa9,0xd6,0x01,0xdf,0xd5,0x36,0x78,0xf5,0x67,0x44,0x43, + 0xf6,0x7d,0xf7,0x8a,0x3a,0x9e,0x09,0x33,0xe5,0xf1,0x58,0xb1,0x69,0xac,0x8d,0x1c, + 0x4c,0xd0,0xfb,0x87,0x2c,0x14,0xca,0x8e,0x00,0x1e,0x54,0x2e,0xa0,0xf9,0xcf,0xda, + 0x88,0xc4,0x2d,0xca,0xd8,0xa7,0x40,0x97,0xa0,0x0c,0x22,0x05,0x5b,0x0b,0xd4,0x1f), + .s = chunk_from_chars( + 0x8b,0x46,0xf2,0xc8,0x89,0xd8,0x19,0xf8,0x60,0xaf,0x0a,0x6c,0x4c,0x88,0x9e,0x4d, + 0x14,0x36,0xc6,0xca,0x17,0x44,0x64,0xd2,0x2a,0xe1,0x1b,0x9c,0xcc,0x26,0x5d,0x74, + 0x3c,0x67,0xe5,0x69,0xac,0xcb,0xc5,0xa8,0x0d,0x4d,0xd5,0xf1,0xbf,0x40,0x39,0xe2, + 0x3d,0xe5,0x2a,0xec,0xe4,0x02,0x91,0xc7,0x5f,0x89,0x36,0xc5,0x8c,0x9a,0x2f,0x77, + 0xa7,0x80,0xbb,0xe7,0xad,0x31,0xeb,0x76,0x74,0x2f,0x7b,0x2b,0x8b,0x14,0xca,0x1a, + 0x71,0x96,0xaf,0x7e,0x67,0x3a,0x3c,0xfc,0x23,0x7d,0x50,0xf6,0x15,0xb7,0x5c,0xf4, + 0xa7,0xea,0x78,0xa9,0x48,0xbe,0xda,0xf9,0x24,0x24,0x94,0xb4,0x1e,0x1d,0xb5,0x1f, + 0x43,0x7f,0x15,0xfd,0x25,0x51,0xbb,0x5d,0x24,0xee,0xfb,0x1c,0x3e,0x60,0xf0,0x36, + 0x94,0xd0,0x03,0x3a,0x1e,0x0a,0x9b,0x9f,0x5e,0x4a,0xb9,0x7d,0x45,0x7d,0xff,0x9b, + 0x9d,0xa5,0x16,0xdc,0x22,0x6d,0x6d,0x65,0x29,0x50,0x03,0x08,0xed,0x74,0xa2,0xe6, + 0xd9,0xf3,0xc1,0x05,0x95,0x78,0x8a,0x52,0xa1,0xbc,0x06,0x64,0xae,0xdf,0x33,0xef, + 0xc8,0xba,0xdd,0x03,0x7e,0xb7,0xb8,0x80,0x77,0x2b,0xdb,0x04,0xa6,0x04,0x6e,0x9e, + 0xde,0xee,0x41,0x97,0xc2,0x55,0x07,0xfb,0x0f,0x11,0xab,0x1c,0x9f,0x63,0xf5,0x3c, + 0x88,0x20,0xea,0x84,0x05,0xcf,0xd7,0x72,0x16,0x92,0x47,0x5b,0x4d,0x72,0x35,0x5f, + 0xa9,0xa3,0x80,0x4f,0x29,0xe6,0xb6,0xa7,0xb0,0x59,0xc4,0x44,0x1d,0x54,0xb2,0x8e, + 0x4e,0xed,0x25,0x29,0xc6,0x10,0x3b,0x54,0x32,0xc7,0x13,0x32,0xce,0x74,0x2b,0xcc), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 20, + .salt = chunk_from_chars( + 0xe1,0x25,0x6f,0xc1,0xee,0xef,0x81,0x77,0x3f,0xdd,0x54,0x65,0x7e,0x40,0x07,0xfd, + 0xe6,0xbc,0xb9,0xb1), + }, + .m = chunk_from_chars( + 0xfd,0x6a,0x06,0x3e,0x61,0xc2,0xb3,0x54,0xfe,0x8c,0xb3,0x7a,0x5f,0x37,0x88,0xb5, + 0xc0,0x1f,0xf1,0x5a,0x72,0x5f,0x6b,0x81,0x81,0xe6,0xf6,0xb7,0x95,0xce,0x1c,0xf3, + 0x16,0xe9,0x30,0xcc,0x93,0x9c,0xd4,0xe8,0x65,0xf0,0xbd,0xb8,0x8f,0xe6,0xbb,0x62, + 0xe9,0x0b,0xf3,0xff,0x7e,0x4d,0x6f,0x07,0x32,0x0d,0xda,0x09,0xa8,0x75,0x84,0xa0, + 0x62,0x0c,0xad,0xa2,0x2a,0x87,0xff,0x9a,0xb1,0xe3,0x5c,0x79,0x77,0xb0,0xda,0x88, + 0xea,0xb0,0x0c,0xa1,0xd2,0xa0,0x84,0x9f,0xec,0x56,0x95,0x13,0xd5,0x0c,0x5e,0x39, + 0x2a,0xfc,0x03,0x2a,0xee,0x2d,0x3e,0x52,0x2c,0x8c,0x17,0x25,0xdd,0x3e,0xef,0x0e, + 0x0b,0x35,0xc3,0xa8,0x37,0x01,0xaf,0x31,0xf9,0xe9,0xb1,0x3c,0xe6,0x3b,0xb0,0xa5), + .s = chunk_from_chars( + 0x49,0x2b,0x6f,0x68,0x84,0xdf,0x46,0x1f,0xe1,0x05,0x16,0xb6,0xb8,0xcc,0x20,0x53, + 0x85,0xc2,0x01,0x08,0xec,0x47,0xd5,0xdb,0x69,0x28,0x3f,0x4a,0x76,0x88,0xe3,0x18, + 0xcf,0xdc,0x3c,0x49,0x1f,0xb2,0x92,0x25,0x32,0x5a,0xeb,0x46,0xef,0xc7,0x5e,0x85, + 0x58,0x40,0x91,0x0b,0xba,0xf0,0xd1,0xc8,0xd4,0x78,0x45,0x42,0xb9,0x70,0x75,0x4a, + 0xaa,0x84,0xbf,0xe4,0x7c,0x77,0xb3,0xa1,0xb5,0x03,0x7d,0x4d,0x79,0x75,0x94,0x71, + 0xe9,0x6c,0xc7,0xa5,0x27,0xa0,0xed,0x06,0x7e,0x21,0x70,0x9e,0xf7,0xf4,0xc4,0x11, + 0x1b,0x60,0xb8,0xc0,0x80,0x82,0xc8,0x18,0x0c,0x7c,0x96,0xb6,0x1c,0x0f,0x71,0x02, + 0xed,0x9b,0x90,0xe2,0x4d,0xe1,0x1e,0x62,0x98,0xbb,0x24,0x45,0x18,0xf9,0xb4,0x46, + 0xce,0x64,0x1f,0xe9,0x95,0xe9,0xcc,0x29,0x9e,0xd4,0x11,0xb6,0x5e,0xb2,0x5e,0xaa, + 0xe9,0xe5,0x53,0x48,0x4a,0x0a,0x7e,0x95,0x6e,0xad,0xf0,0x84,0x08,0x88,0xc7,0x0e, + 0x5c,0xa6,0xeb,0xc3,0xe4,0x79,0xf8,0xc6,0x9c,0x53,0xcf,0x31,0x37,0x0a,0xb3,0x85, + 0xe8,0xb6,0x73,0xdc,0x45,0xa0,0xc1,0x96,0x4e,0xc4,0x94,0x68,0xd1,0x82,0x46,0x21, + 0x3a,0x8f,0x93,0xa2,0xa9,0x6a,0xad,0x5a,0x27,0x01,0xc1,0x91,0xa1,0x4a,0x31,0x51, + 0x9e,0x4f,0x36,0x54,0x4d,0x66,0x87,0x08,0xff,0x37,0xbe,0x54,0x81,0xcb,0x0f,0xfa, + 0x2b,0x0e,0x1f,0x14,0x5e,0x29,0xf8,0x57,0x5d,0xfa,0x9e,0xc3,0x0c,0x6c,0xb4,0x1c, + 0x39,0x34,0x39,0x29,0x22,0x10,0xea,0x80,0x6a,0x50,0x55,0x98,0xeb,0xdf,0x08,0x33), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 25, + .salt = chunk_from_chars( + 0xb7,0x50,0x58,0x76,0x71,0xaf,0xd7,0x68,0x86,0xe8,0xff,0xb7,0x86,0x5e,0x78,0xf7, + 0x06,0x64,0x1b,0x2e,0x42,0x51,0xb4,0x87,0x06), + }, + .m = chunk_from_chars( + 0x83,0x3a,0xa2,0xb1,0xdc,0xc7,0x76,0x07,0xa4,0x4e,0x80,0x4e,0xe7,0x7d,0x45,0x40, + 0x85,0x86,0xc5,0x36,0x86,0x1f,0x66,0x48,0xad,0xcd,0x2f,0xb6,0x50,0x63,0x36,0x87, + 0x67,0xc5,0x5c,0x6f,0xe2,0xf2,0x37,0xf6,0x40,0x42,0x50,0xd7,0x5d,0xec,0x8f,0xa6, + 0x8b,0xca,0xf3,0xb6,0xe5,0x61,0x86,0x3a,0xe0,0x1c,0x91,0xaa,0x23,0xd8,0x0c,0x69, + 0x99,0xa5,0x58,0xa4,0xc4,0xcb,0x31,0x7d,0x54,0x0c,0xde,0x69,0xf8,0x29,0xaa,0xd6, + 0x74,0xa8,0x98,0x12,0xf4,0xd3,0x53,0x68,0x9f,0x04,0x64,0x8c,0x70,0x20,0xa7,0x39, + 0x41,0x62,0x00,0x18,0x29,0x5a,0x4a,0xe4,0x08,0x35,0x90,0xcc,0x60,0x3e,0x80,0x18, + 0x67,0xa5,0x1c,0x10,0x5a,0x7f,0xb3,0x19,0x13,0x0f,0x10,0x22,0xde,0x44,0xf1,0x3e), + .s = chunk_from_chars( + 0x2c,0xa3,0x7a,0x3d,0x6a,0xbd,0x28,0xc1,0xea,0xf9,0xbd,0xe5,0xe7,0xac,0x17,0xf1, + 0xfa,0x79,0x9c,0xe1,0xb4,0xb8,0x99,0xd1,0x99,0x85,0xc2,0xff,0x7c,0x8b,0xa9,0x59, + 0xfe,0x54,0xe5,0xaf,0xb8,0xbc,0x40,0x21,0xa1,0xf1,0xc6,0x87,0xee,0xbb,0x8c,0xba, + 0x80,0x0d,0x1c,0x51,0x63,0x6b,0x1f,0x68,0xdc,0x3e,0x48,0xf6,0x3e,0x2d,0xa6,0xbc, + 0x6d,0x09,0xc6,0x66,0x8f,0x68,0xe5,0x08,0xc5,0xd8,0xc1,0x9b,0xef,0x15,0x47,0x59, + 0xe2,0xf8,0x9a,0xde,0x15,0x27,0x17,0x37,0x0a,0x89,0x44,0xf5,0x37,0x57,0x82,0x96, + 0x38,0x0d,0x1f,0xe6,0xbe,0x80,0x9e,0x8b,0x11,0x3d,0x2b,0x9d,0x89,0xe6,0xa4,0x6f, + 0x5c,0x33,0x3d,0x4f,0xd4,0x87,0x70,0xfc,0x1e,0xa1,0xc5,0x48,0x10,0x45,0x75,0xb8, + 0x4c,0xf0,0x71,0x04,0x2b,0xfe,0x5a,0xcf,0x49,0x63,0x92,0xbe,0x83,0x51,0xa4,0x1c, + 0x46,0xa2,0xca,0xb0,0x86,0x4c,0x4c,0x1c,0x5b,0x5e,0x0c,0x7b,0x27,0xe7,0xb8,0x8c, + 0x69,0xf3,0x7f,0xfa,0x7e,0x1a,0x8c,0xd9,0x8f,0x34,0x3a,0xc8,0x4a,0x4a,0xd6,0x70, + 0x25,0xa4,0x0e,0xd8,0xf6,0x64,0xe9,0xd6,0x30,0x33,0x7d,0xe6,0xe4,0x8b,0xb2,0x12, + 0x5e,0x25,0x52,0x12,0x36,0x09,0x49,0x1f,0x18,0x3a,0xfd,0x92,0x63,0x44,0x87,0xf0, + 0xb2,0xcf,0x97,0x1f,0x26,0x26,0xe8,0x88,0x58,0x87,0x9d,0x45,0xa2,0x9b,0x0f,0xef, + 0xb6,0x6c,0xd4,0x1b,0x2e,0x4e,0x96,0x83,0x85,0xbd,0x9f,0xc8,0xc7,0x21,0x19,0x76, + 0xbc,0x6b,0xd3,0xe1,0xad,0x6d,0xf6,0x08,0x56,0x98,0x5a,0x82,0x5f,0x47,0x26,0xd2), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 25, + .salt = chunk_from_chars( + 0xb7,0x50,0x58,0x76,0x71,0xaf,0xd7,0x68,0x86,0xe8,0xff,0xb7,0x86,0x5e,0x78,0xf7, + 0x06,0x64,0x1b,0x2e,0x42,0x51,0xb4,0x87,0x06), + }, + .m = chunk_from_chars( + 0x89,0x25,0xb8,0x7e,0x9d,0x1d,0x73,0x9d,0x8f,0x97,0x54,0x50,0xb7,0x9d,0x09,0x19, + 0xdd,0xe6,0x3e,0x8a,0x9e,0xaa,0x1c,0xb5,0x11,0xb4,0x0f,0xe3,0xab,0xb9,0xcd,0x89, + 0x60,0xe8,0x94,0x77,0x0b,0xc2,0xb2,0x53,0x10,0x2c,0x4b,0x46,0x40,0xc3,0x57,0xf5, + 0xfd,0x6f,0xea,0xb3,0x9e,0x3b,0xb8,0xf4,0x15,0x64,0xd8,0x05,0xce,0xaf,0xc8,0xfb, + 0xdb,0x00,0xb2,0xea,0x4f,0x29,0xed,0x57,0xe7,0x00,0xc7,0xef,0xf0,0xb4,0x82,0x79, + 0x64,0x61,0x9c,0x09,0x57,0xe1,0x54,0x76,0x91,0xe6,0x69,0x0f,0x7d,0x45,0x25,0x8a, + 0x42,0x95,0x9a,0x3d,0x2f,0xf9,0x2c,0x91,0x5c,0x3a,0x4f,0xb3,0x8e,0x19,0x92,0x8c, + 0x5c,0xe3,0xdd,0xf4,0x90,0x45,0xf6,0x22,0xd0,0x62,0x4a,0x67,0x7e,0x23,0xeb,0x1d), + .s = chunk_from_chars( + 0x43,0xef,0x93,0xd1,0x4e,0x89,0xb0,0x5d,0x5e,0x0d,0xb2,0xdb,0xd5,0x7a,0x12,0x40, + 0x39,0x10,0x64,0x6b,0x4b,0x0a,0x24,0xd9,0xb8,0x0d,0x94,0x79,0x54,0x59,0x1a,0xfa, + 0x6e,0x98,0x09,0xe9,0x6d,0x7d,0x3e,0x71,0x10,0x03,0xee,0x0a,0x91,0x86,0xab,0x3d, + 0x8e,0x0b,0x4d,0x34,0x25,0xc6,0xda,0x4b,0x5f,0x78,0x99,0x53,0x7e,0x73,0x7b,0x71, + 0xdf,0x9e,0xd6,0x35,0x55,0x29,0xaa,0xce,0x77,0xa7,0xcb,0xa9,0x6b,0x5b,0x0a,0x86, + 0x39,0x92,0x52,0xf1,0x28,0x6a,0x6f,0xca,0xb1,0x80,0xb5,0x98,0x45,0x5d,0xfe,0x1d, + 0xe4,0xb8,0x04,0x70,0xd0,0x63,0x18,0xd5,0xf7,0xa5,0x2e,0x45,0xb6,0xd0,0xbc,0xc0, + 0x0b,0xd3,0x65,0x81,0x9a,0x4a,0x14,0x2b,0x83,0x07,0x27,0x75,0xf4,0x85,0xf6,0x3c, + 0x80,0x04,0xf5,0x33,0x78,0xa9,0xa0,0xd2,0x34,0x5d,0x07,0xb1,0xb3,0x26,0x23,0x8e, + 0xd0,0x70,0xd1,0xe6,0x9f,0xc0,0xb5,0xcf,0x85,0x3a,0x80,0x7c,0xfb,0x72,0x35,0x62, + 0xd1,0xf5,0x68,0x24,0x82,0xe8,0xa4,0x84,0x05,0x88,0xbc,0xc7,0x15,0x4c,0xe0,0x74, + 0x0c,0x76,0x86,0x16,0xcf,0x04,0xd7,0xaa,0x10,0x36,0x42,0x91,0x7e,0xc5,0xb4,0xb5, + 0x14,0xa3,0x73,0x4d,0x9e,0x0c,0x58,0x42,0x7c,0xff,0x42,0xf2,0x7f,0x43,0xfd,0xfc, + 0x85,0x99,0x1e,0x04,0x5a,0xcd,0x17,0xaf,0x6f,0xba,0x7b,0xda,0xb8,0x18,0xe9,0x0e, + 0xb4,0x11,0x76,0x84,0xe8,0x9f,0x91,0x63,0xdf,0xf7,0xb9,0x8b,0x82,0xa0,0x8b,0xaa, + 0x2b,0x49,0xac,0xde,0x48,0x0c,0x57,0x02,0xc3,0x35,0x23,0x7d,0x1b,0xe7,0x71,0xb7), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 30, + .salt = chunk_from_chars( + 0xaa,0x10,0xfe,0xc3,0xf8,0x3b,0x7a,0x97,0xe0,0x92,0x87,0x7a,0x5b,0xf9,0x08,0x12, + 0x83,0xf5,0x02,0xa0,0xa4,0x6b,0x50,0xe3,0x95,0xab,0x98,0x3a,0x49,0xac), + }, + .m = chunk_from_chars( + 0x5f,0x0f,0xe2,0xaf,0xa6,0x1b,0x62,0x8c,0x43,0xea,0x3b,0x6b,0xa6,0x05,0x67,0xb1, + 0xae,0x95,0xf6,0x82,0x07,0x6f,0x01,0xdf,0xb6,0x4d,0xe0,0x11,0xf2,0x5e,0x9c,0x4b, + 0x36,0x02,0xa7,0x8b,0x94,0xce,0xcb,0xc1,0x4c,0xd7,0x61,0x33,0x9d,0x2d,0xc3,0x20, + 0xdb,0xa5,0x04,0xa3,0xc2,0xdc,0xde,0xdb,0x0a,0x78,0xeb,0x49,0x3b,0xb1,0x18,0x79, + 0xc3,0x11,0x58,0xe5,0x46,0x77,0x95,0x16,0x35,0x62,0xec,0x0c,0xa2,0x6c,0x19,0xe0, + 0x53,0x15,0x30,0xa8,0x15,0xc2,0x8f,0x9b,0x52,0x06,0x10,0x76,0xe6,0x1f,0x83,0x1e, + 0x2f,0xc4,0x5b,0x86,0x63,0x1e,0xa7,0xd3,0x27,0x14,0x44,0xbe,0x5d,0xcb,0x51,0x3a, + 0x3d,0x6d,0xe4,0x57,0xa7,0x2a,0xfb,0x67,0xb7,0x7d,0xb6,0x5f,0x9b,0xb1,0xc3,0x80), + .s = chunk_from_chars( + 0x5e,0x07,0x12,0xbb,0x36,0x3e,0x50,0x34,0xef,0x6b,0x23,0xc1,0x19,0xe3,0xb4,0x98, + 0x64,0x44,0x45,0xfa,0xab,0x5a,0x4c,0x0b,0x4e,0x21,0x7e,0x4c,0x83,0x2a,0xb3,0x4c, + 0x14,0x2d,0x7f,0x81,0xdb,0xf8,0xaf,0xfd,0xb2,0xda,0xce,0xfa,0xbb,0x2f,0x83,0x52, + 0x4c,0x5a,0xa8,0x83,0xfc,0x5f,0x06,0xe5,0x28,0xb2,0x32,0xd9,0x0f,0xbe,0xa9,0xca, + 0x08,0xae,0x5a,0xc1,0x80,0xd4,0x77,0xea,0xed,0x27,0xd1,0x37,0xe2,0xb5,0x1b,0xd6, + 0x13,0xb6,0x9c,0x54,0x3d,0x55,0x5b,0xfc,0x7c,0xd8,0x1a,0x4f,0x79,0x57,0x53,0xc8, + 0xc6,0x4c,0x6b,0x5d,0x2a,0xcd,0x9e,0x26,0xd6,0x22,0x5f,0x5b,0x26,0xe4,0xe6,0x6a, + 0x94,0x5f,0xd6,0x47,0x7a,0x27,0x7b,0x58,0x0d,0xbe,0xaa,0x46,0xd0,0xbe,0x49,0x8d, + 0xf9,0xa0,0x93,0x39,0x29,0x26,0xc9,0x05,0x64,0x19,0x45,0xec,0x5b,0x95,0x97,0x52, + 0x5e,0x44,0x9a,0xf3,0x74,0x3f,0x80,0x55,0x47,0x88,0xfc,0x35,0x8b,0xc0,0x40,0x1a, + 0x96,0x8f,0xf9,0x8a,0xaf,0x34,0xe5,0x0b,0x35,0x27,0x51,0xf3,0x22,0x74,0x75,0x0f, + 0xf5,0xc1,0xfb,0xa5,0x03,0x05,0x02,0x04,0xce,0xc9,0xc7,0x7d,0xee,0xde,0x7f,0x8f, + 0xa2,0x08,0x45,0xd9,0x5f,0x51,0x77,0x03,0x0b,0xc9,0x1d,0x51,0xf2,0x6f,0x29,0xd2, + 0xa6,0x5b,0x87,0x0d,0xc7,0x2b,0x81,0xe5,0xef,0x9e,0xee,0xf9,0x90,0xd7,0xc7,0x14, + 0x5b,0xbf,0x1a,0x3b,0xc7,0xae,0xdd,0x19,0xfa,0x7c,0xbb,0x02,0x07,0x56,0x52,0x5f, + 0x18,0x02,0x21,0x6c,0x13,0x29,0x6f,0xd6,0xaa,0xc1,0x1b,0xf2,0xd2,0xd9,0x04,0x94), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 30, + .salt = chunk_from_chars( + 0xaa,0x10,0xfe,0xc3,0xf8,0x3b,0x7a,0x97,0xe0,0x92,0x87,0x7a,0x5b,0xf9,0x08,0x12, + 0x83,0xf5,0x02,0xa0,0xa4,0x6b,0x50,0xe3,0x95,0xab,0x98,0x3a,0x49,0xac), + }, + .m = chunk_from_chars( + 0x9e,0x88,0x0c,0xe5,0x9f,0x54,0x7d,0x59,0x2c,0x30,0x9c,0x22,0xa2,0x97,0x4b,0xa5, + 0xa5,0x2c,0xf1,0xc1,0x64,0xf2,0xd8,0xa8,0x1e,0xbb,0xd4,0xed,0xe6,0xe3,0x26,0xde, + 0xa3,0x3d,0x9f,0x13,0x5a,0x4e,0x09,0x47,0xb0,0xb9,0xc2,0x67,0xaa,0xfb,0xaa,0xe9, + 0xb8,0x58,0x3f,0x5f,0xf2,0x15,0x07,0x4c,0xa1,0xe8,0x2f,0x36,0x01,0xad,0x71,0xfc, + 0x45,0x5a,0x3b,0x6a,0xdc,0x35,0x0d,0x0b,0xf3,0x45,0x22,0x3e,0x3b,0x06,0x54,0x8c, + 0xec,0x61,0x3a,0x39,0x0a,0xda,0x93,0x19,0xe7,0x0c,0xe7,0xa5,0xe9,0x52,0x6b,0x4e, + 0x8d,0xc8,0x26,0x12,0xac,0x72,0x52,0x4c,0xfd,0xba,0x05,0xd0,0xdc,0x20,0x10,0x37, + 0x49,0x2d,0x27,0x78,0x34,0xa8,0x43,0xb9,0xf8,0x0d,0x45,0x64,0x25,0x3b,0xdc,0x7c), + .s = chunk_from_chars( + 0x8c,0x4f,0x81,0x9e,0x68,0x20,0x81,0xbb,0x16,0xdd,0xd4,0x59,0x66,0x2a,0x80,0x78, + 0xbc,0xa4,0x79,0x3e,0x18,0x11,0x00,0x33,0x53,0x94,0x60,0xb4,0x08,0xc0,0xaf,0x74, + 0x7e,0xa5,0xd9,0x41,0xf7,0x12,0x69,0x1f,0x5d,0x9d,0xdb,0x64,0x31,0x66,0xfd,0x96, + 0x5f,0x5b,0x51,0xb8,0x19,0xd5,0x51,0x41,0xd6,0x7c,0x15,0x53,0xb2,0x7a,0x46,0x82, + 0xe6,0x7d,0x55,0x55,0xb6,0x4d,0x7c,0xd3,0xdb,0x7f,0xc5,0xc2,0xe7,0x01,0xdd,0x26, + 0xe4,0x22,0xaf,0x8a,0x1f,0xb5,0x2c,0xd5,0xf5,0xa0,0x9e,0x0d,0x6d,0xb9,0x00,0xa9, + 0x92,0xf3,0x18,0xde,0xeb,0x6f,0x6e,0x39,0xdf,0xd6,0xaf,0x44,0xcb,0x21,0x7c,0x68, + 0x54,0x08,0x9c,0xea,0xa1,0x6e,0x3f,0x9b,0x10,0x0e,0xf8,0xe7,0x8f,0x6b,0x45,0x34, + 0x58,0xb8,0xef,0x6d,0x71,0x49,0x3e,0x7c,0x6e,0x45,0x28,0x2c,0x61,0x7f,0xa8,0x7c, + 0xcd,0xd4,0xa0,0xf2,0xf9,0xf7,0x16,0x62,0x81,0x80,0x6f,0xb4,0x1d,0x0f,0xe1,0x88, + 0xe0,0x0c,0x40,0xaf,0xea,0xa0,0x7d,0x2d,0xa0,0x9a,0x2c,0xd7,0x80,0x52,0xf8,0xd5, + 0x6b,0x7a,0xf4,0x0d,0x4c,0x73,0x14,0xcc,0xf0,0x2e,0x49,0x0d,0x5e,0x21,0x23,0xbf, + 0x67,0x6f,0x2b,0xcb,0xda,0xbe,0xff,0xcf,0x58,0x79,0x29,0x98,0xdd,0x0f,0x67,0xed, + 0x24,0xe4,0x83,0xd8,0x97,0x6b,0x00,0xd6,0x15,0x1a,0x6e,0x0b,0xa7,0x40,0xbd,0xb5, + 0x7c,0x9b,0xc2,0x7f,0xe5,0xdf,0x91,0x26,0xa4,0x70,0x20,0x07,0x5e,0xb2,0x22,0xd5, + 0xca,0x24,0x70,0x72,0x44,0x60,0xc5,0xad,0xf0,0x67,0xb5,0x75,0x02,0x87,0xcd,0x00), + }, +}; + +START_TEST(test_sign_pss_2048) +{ + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + if (!pss_salt_supported) + { + warn("static salt for %N not supported, skip test", + signature_scheme_names, SIGN_RSA_EMSA_PSS); + return; + } + fail_unless(privpss_2048->sign(privpss_2048, SIGN_RSA_EMSA_PSS, + &pss_sign_2048[_i].params, pss_sign_2048[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_2048[_i].s, sig); + fail_unless(pubpss_2048->verify(pubpss_2048, SIGN_RSA_EMSA_PSS, + &pss_sign_2048[_i].params, pss_sign_2048[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); +} +END_TEST + +/** + * SigGen test vectors from FIPS 186-4 (first two for each hash algo) + */ +static struct { + rsa_pss_params_t params; + chunk_t m; + chunk_t s; +} pss_sign_3072[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 32, + .salt = chunk_from_chars( + 0x3e,0x07,0xad,0xe7,0x2a,0x3f,0x52,0x53,0x0f,0x53,0x13,0x5a,0x5d,0x7d,0x93,0x21, + 0x74,0x35,0xba,0x00,0x1e,0xa5,0x5a,0x8f,0x5d,0x5d,0x13,0x04,0x68,0x48,0x74,0xbc), + }, + .m = chunk_from_chars( + 0xc1,0x64,0x99,0x11,0x0e,0xd5,0x77,0x20,0x2a,0xed,0x2d,0x3e,0x4d,0x51,0xde,0xd6, + 0xc6,0x63,0x73,0xfa,0xef,0x65,0x33,0xa8,0x60,0xe1,0x93,0x4c,0x63,0x48,0x4f,0x87, + 0xa8,0xd9,0xb9,0x2f,0x3a,0xc4,0x51,0x97,0xb2,0x90,0x97,0x10,0xab,0xba,0x1d,0xaf, + 0x75,0x9f,0xe0,0x51,0x0e,0x9b,0xd8,0xdd,0x4d,0x73,0xce,0xc9,0x61,0xf0,0x6e,0xe0, + 0x7a,0xcd,0x9d,0x42,0xc6,0xd4,0x0d,0xac,0x9f,0x43,0x0e,0xf9,0x03,0x74,0xa7,0xe9, + 0x44,0xbd,0xe5,0x22,0x00,0x96,0x73,0x74,0x54,0xf9,0x6b,0x61,0x4d,0x0f,0x6c,0xdd, + 0x9f,0x08,0xed,0x52,0x9a,0x4a,0xd0,0xe7,0x59,0xcf,0x3a,0x02,0x3d,0xc8,0xa3,0x0b, + 0x9a,0x87,0x29,0x74,0xaf,0x9b,0x2a,0xf6,0xdc,0x3d,0x11,0x1d,0x0f,0xeb,0x70,0x06), + .s = chunk_from_chars( + 0x43,0x35,0x70,0x7d,0xa7,0x35,0xcf,0xd1,0x04,0x11,0xc9,0xc0,0x48,0xca,0x9b,0x60, + 0xbb,0x46,0xe2,0xfe,0x36,0x1e,0x51,0xfb,0xe3,0x36,0xf9,0x50,0x8d,0xc9,0x45,0xaf, + 0xe0,0x75,0x50,0x3d,0x24,0xf8,0x36,0x61,0x0f,0x21,0x78,0x99,0x6b,0x52,0xc4,0x11, + 0x69,0x30,0x52,0xd5,0xd7,0xae,0xd9,0x76,0x54,0xa4,0x00,0x74,0xed,0x20,0xed,0x66, + 0x89,0xc0,0x50,0x1b,0x7f,0xba,0xc2,0x1d,0xc4,0x6b,0x66,0x5a,0xc0,0x79,0x76,0x00, + 0x86,0x41,0x44,0x06,0xcd,0x66,0xf8,0x53,0x7d,0x1e,0xbf,0x0d,0xce,0x4c,0xf0,0xc9, + 0x8d,0x4c,0x30,0xc7,0x1d,0xa3,0x59,0xe9,0xcd,0x40,0x1f,0xf4,0x97,0x18,0xfd,0xd4, + 0xd0,0xf9,0x9e,0xfe,0x70,0xad,0x8d,0xd8,0xba,0x13,0x04,0xce,0xfb,0x88,0xf2,0x4b, + 0x0e,0xed,0xf7,0x01,0x16,0xda,0x15,0x93,0x2c,0x76,0xf0,0x06,0x95,0x51,0xa2,0x45, + 0xb5,0xfc,0x3b,0x91,0xec,0x10,0x1f,0x1d,0x63,0xb9,0x85,0x3b,0x59,0x8c,0x6f,0xa1, + 0xc1,0xac,0xdb,0xac,0xf9,0x62,0x63,0x56,0xc7,0x60,0x11,0x9b,0xe0,0x95,0x56,0x44, + 0x30,0x18,0x96,0xd9,0xd0,0xd3,0xea,0x5e,0x64,0x43,0xcb,0x72,0xca,0x29,0xf4,0xd4, + 0x52,0x46,0xd1,0x6d,0x74,0xd0,0x05,0x68,0xc2,0x19,0x18,0x2f,0xeb,0x19,0x11,0x79, + 0xe4,0x59,0x3d,0xc1,0x52,0xc6,0x08,0xfd,0x80,0x53,0x63,0x29,0xa5,0x33,0xb3,0xa6, + 0x31,0x56,0x68,0x14,0xcd,0x65,0x4f,0x58,0x7c,0x2d,0x8c,0xe6,0x96,0x08,0x5e,0x6e, + 0xd1,0xb0,0xb0,0x27,0x8e,0x60,0xa0,0x49,0xec,0x7a,0x39,0x9f,0x94,0xfc,0xca,0xe6, + 0x46,0x23,0x71,0xa6,0x96,0x95,0xef,0x52,0x5e,0x00,0x93,0x6f,0xa7,0xd9,0x78,0x1f, + 0x9e,0xe2,0x89,0xd4,0x10,0x5e,0xe8,0x27,0xa2,0x79,0x96,0x58,0x30,0x33,0xce,0xdb, + 0x2f,0x29,0x7e,0x7b,0x49,0x26,0xd9,0x06,0xce,0x0d,0x09,0xd8,0x41,0x28,0x40,0x6a, + 0xb3,0x3d,0x7d,0xa0,0xf8,0xa1,0xd4,0xd2,0xf6,0x66,0x56,0x86,0x86,0xc3,0x94,0xd1, + 0x39,0xb0,0xe5,0xe9,0x93,0x37,0x75,0x8d,0xe8,0x59,0x10,0xa5,0xfa,0x25,0xca,0x2a, + 0xa6,0xd8,0xfb,0x1c,0x77,0x72,0x44,0xe7,0xd9,0x8d,0xe4,0xc7,0x9b,0xbd,0x42,0x6a, + 0x5e,0x6f,0x65,0x7e,0x37,0x47,0x7e,0x01,0x24,0x74,0x32,0xf8,0x37,0x97,0xfb,0xf3, + 0x1b,0x50,0xd0,0x2b,0x83,0xf6,0x9d,0xed,0x26,0xd4,0x94,0x5b,0x2b,0xc3,0xf8,0x6e), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 32, + .salt = chunk_from_chars( + 0x3e,0x07,0xad,0xe7,0x2a,0x3f,0x52,0x53,0x0f,0x53,0x13,0x5a,0x5d,0x7d,0x93,0x21, + 0x74,0x35,0xba,0x00,0x1e,0xa5,0x5a,0x8f,0x5d,0x5d,0x13,0x04,0x68,0x48,0x74,0xbc), + }, + .m = chunk_from_chars( + 0x60,0x40,0x2d,0xed,0x89,0xd0,0x97,0x9a,0xfb,0x49,0xf8,0x50,0x8e,0xb9,0x78,0xa8, + 0x41,0xab,0xc2,0xae,0xc5,0x9c,0xac,0xef,0x40,0xb3,0x1a,0xd3,0x4b,0xac,0x1f,0x2d, + 0x3c,0x16,0x66,0x11,0xab,0xbe,0xd1,0xe6,0x2f,0x6b,0x5f,0xbb,0x69,0xcb,0x53,0xdf, + 0x44,0xae,0x93,0xab,0x7a,0x72,0x4e,0xa3,0x5b,0xbe,0xe1,0xbe,0xca,0x74,0xfc,0x01, + 0x88,0xe0,0x00,0x52,0xb5,0x36,0xac,0x8c,0x93,0x3b,0xf9,0xcf,0x8e,0x42,0x42,0x1a, + 0x79,0x5a,0xa8,0x1b,0x1b,0xc6,0xb5,0x45,0xea,0xad,0x40,0x24,0x16,0x13,0x90,0xed, + 0xc9,0x08,0xc4,0x5a,0xae,0x1f,0x71,0xb4,0xb0,0x22,0x8e,0x31,0x04,0x04,0x8d,0x81, + 0x69,0x17,0xcb,0xa4,0xae,0x7f,0x2a,0xfe,0x75,0xe7,0xfc,0xad,0x38,0x73,0x24,0x1a), + .s = chunk_from_chars( + 0x5f,0x18,0x30,0x09,0x70,0x8b,0x37,0x96,0x37,0xda,0xc2,0xb1,0x42,0x93,0x70,0x9a, + 0xa6,0xd7,0xe8,0x6c,0x26,0x7a,0x0b,0x69,0x0a,0x3c,0x27,0x50,0x31,0x13,0x98,0x91, + 0x26,0x7c,0x64,0xe5,0xed,0xec,0xdf,0xf1,0x4c,0x2c,0xc2,0xf2,0xd9,0x85,0xb6,0x2f, + 0x90,0x0a,0xee,0x6e,0x04,0xca,0x51,0xa7,0x0a,0x5f,0x94,0x64,0x63,0x69,0x1c,0xf1, + 0x6c,0x2d,0x45,0x54,0x7c,0x53,0x74,0xf1,0x5b,0xdb,0x88,0x81,0x64,0x1d,0x30,0x40, + 0xef,0x57,0x80,0x75,0x32,0xcf,0x5b,0x2c,0xed,0x07,0x62,0x3d,0x0f,0x63,0x8b,0x39, + 0xeb,0xc2,0xf2,0xce,0x28,0x3e,0xea,0x22,0x47,0xe1,0xdf,0x3a,0xf5,0x43,0x05,0x54, + 0xd1,0xd4,0xb8,0x8b,0x7b,0x21,0x62,0x29,0x93,0x41,0x99,0x71,0xb7,0xd0,0xd5,0x44, + 0x91,0x22,0xa1,0x0f,0xc3,0x1b,0x2d,0xdc,0xc5,0x3f,0xf7,0x51,0xff,0x4b,0xf4,0xd3, + 0x36,0xfa,0xc6,0x67,0xb6,0x46,0x78,0x02,0x72,0xdb,0x89,0xa3,0xea,0x42,0x26,0xaf, + 0xa2,0x08,0x77,0xbf,0xb8,0x6b,0xa3,0xff,0x42,0x04,0xe5,0xcd,0x56,0xe1,0x3a,0x1d, + 0xc9,0xd5,0x3f,0x5c,0x94,0x65,0xb9,0x7a,0x18,0x2b,0x2b,0xf6,0x71,0x51,0x2e,0xf8, + 0x9e,0x6c,0x39,0x69,0xf9,0x73,0x07,0xa3,0xe4,0xbe,0xba,0x39,0xa7,0x8e,0x0a,0xd1, + 0xbb,0x97,0x99,0xcd,0xa9,0x29,0x76,0xca,0x39,0xd9,0x9d,0xb4,0xac,0x14,0x9c,0x84, + 0xbb,0x9b,0xc8,0x99,0x7e,0x8d,0x5e,0x05,0x6d,0x67,0xca,0x23,0xfe,0x4b,0xe2,0x8e, + 0x66,0xc4,0xbc,0x00,0xa2,0x5d,0x65,0xbb,0x9d,0x7d,0x62,0x3f,0xea,0x2d,0x3b,0x9c, + 0xf8,0x59,0xdf,0xd9,0xef,0xa9,0xe5,0x22,0x68,0xbf,0xa2,0x97,0xaf,0xb1,0xcc,0x28, + 0x83,0xdb,0x0c,0x9c,0x42,0xfc,0x04,0x18,0x0e,0x2e,0xc6,0xf4,0x96,0x57,0xc7,0x00, + 0x8e,0x40,0x25,0x06,0x1f,0x89,0x68,0x86,0x61,0x38,0x95,0xa3,0x5b,0xc2,0xd3,0x65, + 0x5a,0x8f,0x50,0xa9,0xfc,0xa2,0xac,0x64,0x8f,0x35,0x2e,0xb0,0x6b,0xfb,0xa2,0xfc, + 0x34,0x0a,0xae,0xea,0xd4,0xa8,0x45,0x7c,0x65,0xe2,0xe8,0xfd,0xba,0x56,0x8c,0x60, + 0xa6,0xd8,0xd3,0x81,0xf5,0xd9,0xca,0xa3,0x01,0x27,0x77,0x1f,0x4a,0x94,0xfd,0xb8, + 0xcd,0xe7,0xbe,0x4f,0xa7,0xb4,0xf8,0x9f,0xe3,0x79,0xdd,0x3e,0x1c,0xa6,0x6a,0xe1, + 0xfd,0xd6,0x3b,0xeb,0xdc,0x00,0x15,0x44,0x8e,0x61,0xef,0x16,0x66,0x59,0x4b,0x8f), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 48, + .salt = chunk_from_chars( + 0x61,0xa7,0x62,0xf8,0x96,0x8d,0x5f,0x36,0x7e,0x2d,0xbc,0xac,0xb4,0x02,0x16,0x53, + 0xdc,0x75,0x43,0x7d,0x90,0x00,0xe3,0x16,0x9d,0x94,0x37,0x29,0x70,0x38,0x37,0xa5, + 0xcb,0xf4,0xde,0x62,0xbd,0xed,0xc9,0x5f,0xd0,0xd1,0x00,0x4e,0x84,0x75,0x14,0x52), + }, + .m = chunk_from_chars( + 0x92,0x21,0xf0,0xfe,0x91,0x15,0x84,0x35,0x54,0xd5,0x68,0x5d,0x9f,0xe6,0x9d,0xc4, + 0x9e,0x95,0xce,0xb5,0x79,0x39,0x86,0xe4,0x28,0xb8,0xa1,0x0b,0x89,0x4c,0x01,0xd6, + 0xaf,0x87,0x82,0xfd,0x7d,0x95,0x2f,0xaf,0x74,0xc2,0xb6,0x37,0xca,0x3b,0x19,0xda, + 0xbc,0x19,0xa7,0xfe,0x25,0x9b,0x2b,0x92,0x4e,0xb3,0x63,0xa9,0x08,0xc5,0xb3,0x68, + 0xf8,0xab,0x1b,0x23,0x33,0xfc,0x67,0xc3,0x0b,0x8e,0xa5,0x6b,0x28,0x39,0xdc,0x5b, + 0xda,0xde,0xfb,0x14,0xad,0xa8,0x10,0xbc,0x3e,0x92,0xba,0xc5,0x4e,0x2a,0xe1,0xca, + 0x15,0x94,0xa4,0xb9,0xd8,0xd1,0x93,0x37,0xbe,0x42,0x1f,0x40,0xe0,0x67,0x4e,0x0e, + 0x9f,0xed,0xb4,0x3d,0x3a,0xe8,0x9e,0x2c,0xa0,0x5d,0x90,0xa6,0x82,0x03,0xf2,0xc2), + .s = chunk_from_chars( + 0x96,0x87,0x11,0x5b,0xe4,0x78,0xe4,0xb6,0x42,0xcd,0x36,0x93,0x92,0xb9,0xdd,0x0f, + 0x35,0x76,0xe7,0x04,0xaf,0x72,0x18,0xb1,0xf9,0x4d,0x7f,0x8f,0xe7,0xf0,0x70,0x73, + 0xe3,0xe8,0xe1,0x18,0x6f,0xa7,0x68,0x97,0x7d,0x6b,0x51,0x4e,0x51,0x34,0x59,0xf2, + 0x37,0x3d,0xf6,0xec,0x52,0xe3,0xde,0x9b,0xd8,0x3f,0xcc,0x5c,0xc3,0xe6,0xb9,0x7f, + 0x8b,0x3f,0xb5,0x34,0x16,0x3c,0x64,0xf5,0x26,0x76,0x20,0x70,0x0e,0x9d,0x8c,0x52, + 0xb3,0xdf,0x61,0xa7,0xc3,0x74,0x8e,0xf1,0x59,0xd6,0xb3,0x90,0x89,0x5a,0xfa,0x3a, + 0xf5,0x91,0x09,0xa5,0x47,0x8d,0x01,0x6d,0x96,0xc4,0x9f,0x68,0xdf,0xc7,0x35,0xba, + 0x2a,0xaf,0xd5,0x01,0x2c,0x13,0x51,0x5e,0xd6,0x64,0x4f,0x0d,0x41,0x09,0xc4,0x55, + 0x56,0xe1,0x4a,0x38,0x21,0xe1,0xaa,0x24,0xbe,0xb8,0xa8,0x1a,0x48,0xda,0x27,0xf1, + 0x31,0xde,0x84,0xf7,0xba,0x51,0x58,0x1d,0x81,0xb8,0xff,0x31,0xba,0x92,0xb8,0xa1, + 0xfd,0xe8,0x67,0xf0,0x7e,0x32,0xe6,0xc2,0x70,0x92,0x53,0x44,0x81,0x74,0xdd,0x31, + 0x32,0x4d,0xbc,0x32,0xb0,0x5f,0x07,0x58,0x7f,0x76,0xa9,0x99,0x7d,0xec,0xb8,0x0f, + 0x38,0xd8,0xc1,0x3d,0x0f,0x6e,0xb3,0xc1,0x0e,0x3d,0x96,0xa2,0x29,0x3f,0x74,0x64, + 0xf1,0xe0,0x46,0x02,0xef,0x6e,0x84,0xc2,0xd0,0x24,0x5d,0x7d,0xb2,0x56,0xa6,0x7d, + 0x13,0x2a,0x47,0xca,0xe9,0xab,0xe0,0x6b,0x61,0xa8,0x96,0x8f,0x50,0xa1,0x74,0x99, + 0x95,0xdc,0x15,0xef,0x0d,0xcb,0x1d,0x5f,0x59,0x59,0xe4,0xd4,0x54,0xc8,0x54,0x7b, + 0xbb,0x4d,0x19,0x56,0x98,0xf4,0x84,0x61,0x7b,0xfd,0x12,0x2a,0xca,0xae,0x2d,0x0e, + 0x8c,0x76,0xd2,0x8b,0x24,0x00,0x5a,0xb0,0x3c,0xaa,0x78,0x1e,0xa9,0x7b,0x1c,0x4d, + 0x93,0x96,0xa1,0x6f,0x79,0x98,0xee,0xe7,0xdd,0xd9,0xde,0x4c,0xab,0xe5,0x70,0x32, + 0xd9,0x43,0x8a,0x5d,0x99,0xc6,0xb3,0x4a,0x95,0x61,0x22,0x35,0x02,0x63,0xc7,0xe9, + 0x98,0xbc,0x61,0xde,0xc9,0x13,0x81,0x01,0x2e,0x68,0x6d,0x07,0x9e,0x39,0xe9,0x6b, + 0x1e,0xa4,0xbf,0xdb,0x7c,0xdf,0x63,0x0d,0xdb,0x42,0x2c,0x6b,0x58,0x0e,0x55,0x06, + 0xc9,0xcc,0x3d,0x6c,0x10,0x0f,0x20,0x41,0xd1,0x7c,0xea,0xaa,0xa5,0x45,0x89,0x24, + 0x9f,0x04,0xa1,0x37,0x0f,0xfa,0x3b,0xf3,0xff,0x1a,0xde,0xb8,0x90,0x68,0x86,0x98), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 48, + .salt = chunk_from_chars( + 0x61,0xa7,0x62,0xf8,0x96,0x8d,0x5f,0x36,0x7e,0x2d,0xbc,0xac,0xb4,0x02,0x16,0x53, + 0xdc,0x75,0x43,0x7d,0x90,0x00,0xe3,0x16,0x9d,0x94,0x37,0x29,0x70,0x38,0x37,0xa5, + 0xcb,0xf4,0xde,0x62,0xbd,0xed,0xc9,0x5f,0xd0,0xd1,0x00,0x4e,0x84,0x75,0x14,0x52), + }, + .m = chunk_from_chars( + 0x75,0x2a,0x99,0x16,0xf4,0x49,0xae,0xbf,0x81,0x4c,0xe5,0x9c,0xa6,0xe8,0x2f,0xa8, + 0x03,0x8e,0x46,0x85,0x41,0x92,0x41,0xc1,0x48,0x8c,0x66,0x59,0xb2,0xff,0x3f,0x7b, + 0x7f,0x38,0xf0,0x90,0x0a,0x79,0xc7,0x7a,0x3b,0x57,0x15,0x1a,0xff,0x61,0x3c,0x16, + 0xf5,0x02,0x0a,0xd9,0x6b,0xa9,0x45,0xdb,0x88,0x26,0x87,0x22,0xca,0x58,0x4c,0x09, + 0xb4,0x05,0x4a,0x40,0xc0,0x09,0x01,0x14,0x9b,0xb3,0x92,0xf0,0x91,0x6c,0xd4,0x24, + 0x46,0x99,0xa5,0xe6,0xa8,0xc3,0x7e,0x96,0x21,0xf5,0x4b,0x47,0x11,0x66,0x79,0x7a, + 0x7b,0x58,0x50,0x2c,0xff,0x40,0x83,0x14,0x08,0x27,0x05,0x26,0x46,0x50,0x1f,0x5b, + 0x5f,0x1b,0xc0,0xb4,0xe1,0x29,0x14,0x7d,0x7c,0xc1,0x57,0xcf,0x6e,0x73,0xec,0x58), + .s = chunk_from_chars( + 0x66,0x46,0xa8,0x8e,0xe4,0xb8,0x45,0xda,0x49,0x31,0x27,0x4c,0x23,0x84,0x0d,0xad, + 0xa6,0x14,0x5f,0xe0,0xaf,0x95,0x48,0x29,0xd1,0xd5,0x66,0x61,0x54,0x6a,0x25,0xe4, + 0x63,0x16,0xe2,0x16,0xbb,0x6b,0x94,0x46,0xb3,0x68,0x88,0x4b,0xa1,0x49,0x69,0xa6, + 0xf6,0x8c,0xcb,0xc1,0xcf,0x5b,0x4e,0x7a,0x6d,0x3a,0xab,0xec,0x67,0xf6,0x49,0x63, + 0xf6,0x3b,0x08,0x8f,0xa8,0x17,0xc8,0x55,0xd7,0x76,0xdd,0xca,0xda,0x57,0xe5,0xda, + 0xa5,0x0f,0xc1,0xc8,0x77,0x38,0x9c,0x3c,0xb9,0xd9,0x90,0x95,0xa8,0x69,0xa9,0x63, + 0xbc,0x91,0xec,0x24,0xb2,0x42,0x2e,0xf6,0xb8,0xdd,0x18,0xfd,0x20,0xd2,0xb2,0x15, + 0xfe,0xe6,0xe9,0x8c,0xda,0x41,0x5a,0xe4,0x4d,0x2d,0x26,0x16,0xfe,0x17,0x08,0x29, + 0x2a,0x3e,0xf5,0x0a,0x07,0x51,0x70,0xb3,0xa7,0xeb,0xab,0x02,0x91,0x8a,0xb0,0x30, + 0x17,0x94,0xc1,0x7f,0xb3,0x5e,0x20,0x38,0xf3,0x69,0xd9,0x4d,0xd4,0x95,0x69,0xc0, + 0x66,0xf7,0xc3,0x92,0x88,0x9d,0xc4,0xb8,0x78,0xc5,0x0c,0x7e,0x52,0x58,0x6b,0x50, + 0x81,0x11,0x4d,0x20,0x23,0x38,0xd2,0x33,0x04,0xf1,0x6f,0x91,0x2d,0x51,0x9a,0x9a, + 0xd2,0x1b,0xaf,0xf0,0xe3,0xd2,0x17,0x61,0xf3,0x73,0xd0,0x84,0x21,0xe1,0x01,0x08, + 0xa9,0x83,0x04,0x8f,0xcb,0x90,0xeb,0x2a,0xdc,0x7c,0x7f,0x12,0xff,0xa1,0x57,0x1b, + 0x09,0x1c,0x78,0x1b,0x25,0x5a,0x77,0xa8,0x80,0xe9,0x79,0x75,0xf1,0x4f,0x42,0xba, + 0xf5,0xaa,0x28,0x5e,0xcc,0x14,0x21,0x57,0xc3,0xe1,0xad,0xdd,0x6a,0xa0,0xc0,0x92, + 0x53,0xa1,0x1c,0x59,0x14,0x4a,0xbd,0x3b,0x1e,0x21,0x2d,0x89,0xe2,0x7e,0xd9,0x6f, + 0xb7,0x57,0x56,0xaf,0xc2,0x0e,0xc6,0x74,0x23,0xb1,0x51,0x19,0x4c,0xb0,0xb0,0x64, + 0x8c,0x65,0x99,0x87,0xa5,0x58,0x3c,0xb7,0x75,0x77,0x79,0xd8,0xa3,0x9e,0x20,0x5e, + 0x71,0x01,0xa5,0x35,0x1c,0xe1,0xaf,0x2c,0x9c,0x6b,0x08,0x47,0xcc,0xa5,0x7a,0xf5, + 0x25,0x93,0x32,0x39,0x05,0xe3,0xd2,0x29,0x7c,0x0d,0x54,0x54,0x1a,0x01,0x25,0x62, + 0x16,0x40,0xfe,0x1d,0xee,0xf1,0x3e,0x75,0x9f,0x8f,0x6c,0x56,0xa2,0xec,0x2a,0x94, + 0x83,0x1a,0xc2,0xc6,0x14,0xb9,0x11,0xe7,0x9e,0xdd,0x54,0x2f,0xef,0x65,0x1f,0x5a, + 0x82,0x7f,0x48,0x05,0x75,0xae,0x22,0x0c,0x49,0x5f,0x2a,0x28,0x42,0xf9,0x9e,0xc4), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 62, + .salt = chunk_from_chars( + 0x2d,0x0c,0x49,0xb2,0x07,0x89,0xf3,0x95,0x02,0xee,0xfd,0x09,0x2a,0x2b,0x6a,0x9b, + 0x27,0x57,0xc1,0x45,0x61,0x47,0x56,0x9a,0x68,0x5f,0xca,0x44,0x92,0xa8,0xd5,0xb0, + 0xe6,0x23,0x43,0x08,0x38,0x5d,0x3d,0x62,0x96,0x44,0xca,0x37,0xe3,0x39,0x96,0x16, + 0xc2,0x66,0xf1,0x99,0xb6,0x52,0x1a,0x99,0x87,0xb2,0xbe,0x9e,0xe7,0x83), + }, + .m = chunk_from_chars( + 0x44,0x24,0x0c,0xe5,0x19,0xf0,0x02,0x39,0xbd,0x66,0xba,0x03,0xc8,0x4d,0x31,0x60, + 0xb1,0xce,0x39,0xe3,0x93,0x28,0x66,0xe5,0x31,0xa6,0x2b,0x1c,0x37,0xcf,0x41,0x70, + 0xc3,0xdc,0x48,0x09,0x23,0x6f,0xb1,0xad,0xe1,0x81,0xdb,0x49,0xfc,0x9c,0x7c,0xcd, + 0x79,0x4b,0x43,0x3d,0x1a,0xd0,0xbc,0x05,0x6e,0x14,0x73,0x8e,0x0a,0xe4,0x5c,0x0e, + 0x15,0x59,0x72,0xa4,0x0a,0x98,0x9f,0xa4,0xb9,0xbc,0xdc,0x30,0x8f,0x11,0x99,0x08, + 0x18,0x83,0x5f,0xa2,0xc2,0x56,0xb4,0x7e,0xe4,0x17,0x3f,0xb4,0xfe,0xd2,0x2c,0xcf, + 0x43,0x85,0xd2,0xdd,0x54,0xd5,0x93,0xc7,0x4f,0x00,0x04,0xdf,0x08,0x13,0x4e,0xb8, + 0x96,0x5d,0xd5,0x3a,0x12,0x23,0x17,0xf5,0x9b,0x95,0xd6,0xb6,0x9d,0x01,0x79,0x58), + .s = chunk_from_chars( + 0x8f,0x47,0xab,0xc2,0x32,0x6e,0x22,0xcf,0x62,0x40,0x45,0x08,0xb4,0x42,0xe8,0x1a, + 0xd4,0x5a,0xff,0xf7,0x27,0x40,0x96,0xb9,0xa1,0x3e,0x47,0x8c,0xdd,0x0a,0x72,0xf9, + 0x9a,0x76,0xbf,0x51,0x7f,0x1b,0xb0,0xf8,0x72,0xa5,0x23,0xd8,0xc5,0x88,0xd4,0x40, + 0x25,0x69,0xe9,0x48,0xfd,0x6a,0x10,0x8a,0xe1,0xa4,0x5c,0x65,0x83,0x08,0x28,0xa1, + 0x0e,0x94,0xd4,0x32,0x76,0x53,0x14,0xba,0x82,0xea,0xd3,0x10,0xfc,0x87,0xac,0x99, + 0xa5,0xb3,0x9f,0x30,0xab,0x88,0x20,0xbf,0x69,0xe6,0x93,0x4a,0x9c,0x1c,0x91,0x5c, + 0x19,0xf3,0x6e,0xa7,0x71,0x7e,0xaf,0xf7,0xaf,0x67,0xb4,0x99,0x13,0x15,0xb1,0x87, + 0x3b,0xa9,0x29,0xbe,0xdf,0x18,0xa9,0x75,0xbe,0x80,0x8e,0x7a,0xa1,0x4a,0x67,0x26, + 0x12,0x6c,0x79,0xcc,0x93,0xf6,0x95,0x41,0xc5,0xce,0xfd,0xeb,0x5b,0x67,0xec,0x27, + 0x9d,0x8f,0x5a,0x44,0x65,0x83,0xe4,0xb4,0xfa,0xed,0x16,0x85,0x14,0x0e,0xe4,0xb3, + 0xb7,0x57,0xc8,0xff,0x4a,0x1e,0xf9,0xcd,0x76,0xa8,0x8e,0x05,0x31,0x9e,0xe6,0x20, + 0x03,0xd2,0xd7,0x72,0x90,0xc9,0x4c,0x57,0x9b,0x0c,0xa2,0xab,0x0d,0xeb,0x31,0x76, + 0xef,0x10,0xa3,0xfd,0xb8,0x5c,0x80,0xff,0xbc,0x9e,0x2a,0x66,0x5a,0x23,0x74,0x4f, + 0xc8,0x36,0xf9,0xa9,0xa1,0x03,0xcd,0x9f,0xb7,0x56,0x95,0x23,0x56,0xa2,0xf1,0xac, + 0xdd,0x68,0xa6,0x45,0xe2,0x01,0x79,0x00,0x65,0x58,0xb5,0xd4,0xd0,0xb9,0xb0,0xbd, + 0x3a,0xdf,0x5e,0x29,0x0f,0x49,0xda,0xe6,0x0b,0x9d,0x19,0x92,0x09,0x53,0xea,0x8b, + 0xb2,0x37,0xd5,0xb3,0xdc,0xfe,0x14,0x9a,0x60,0xf1,0x2a,0x4e,0xe3,0xa8,0x89,0xb3, + 0x3b,0xcd,0x3a,0x3b,0x75,0x3d,0x61,0x07,0x57,0xcb,0xcd,0x09,0x3d,0xd5,0xa7,0x34, + 0x25,0x53,0x33,0x68,0x96,0x95,0xab,0x63,0x69,0x63,0xe3,0xd2,0x15,0xa8,0xe7,0x7f, + 0xf3,0x19,0x73,0x71,0x8a,0x49,0x44,0xa1,0xe9,0xe4,0x4f,0x45,0x75,0x4d,0x39,0xf6, + 0xfa,0x43,0x1c,0x53,0xf9,0xa2,0xef,0x36,0xe1,0x6a,0x5f,0x70,0x63,0x6e,0xb5,0xfb, + 0xa5,0x4e,0x15,0xc2,0x0a,0x71,0x4f,0x28,0x09,0xa7,0xcf,0xf4,0xb8,0xdc,0x11,0x65, + 0xf8,0x36,0x60,0x7e,0xb5,0xa5,0xa3,0xbb,0x0c,0x45,0x67,0xee,0xe2,0x69,0x41,0xfe, + 0xf4,0x6f,0xb4,0x1e,0x73,0xb5,0x65,0xc0,0xcf,0x8c,0x72,0xe4,0x04,0x22,0x12,0x64), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 62, + .salt = chunk_from_chars( + 0x2d,0x0c,0x49,0xb2,0x07,0x89,0xf3,0x95,0x02,0xee,0xfd,0x09,0x2a,0x2b,0x6a,0x9b, + 0x27,0x57,0xc1,0x45,0x61,0x47,0x56,0x9a,0x68,0x5f,0xca,0x44,0x92,0xa8,0xd5,0xb0, + 0xe6,0x23,0x43,0x08,0x38,0x5d,0x3d,0x62,0x96,0x44,0xca,0x37,0xe3,0x39,0x96,0x16, + 0xc2,0x66,0xf1,0x99,0xb6,0x52,0x1a,0x99,0x87,0xb2,0xbe,0x9e,0xe7,0x83), + }, + .m = chunk_from_chars( + 0x06,0xd5,0x53,0x4b,0x77,0x69,0x25,0x6e,0x8c,0xf6,0x5c,0x6c,0xe5,0x2a,0x3e,0x86, + 0x96,0x5a,0x1f,0xd1,0x2c,0x75,0x82,0xd2,0xeb,0x36,0x82,0x4a,0x5a,0x9d,0x70,0x53, + 0x02,0x9f,0xbe,0xac,0x72,0x1d,0x1b,0x52,0x86,0x13,0xe0,0x50,0xe9,0x12,0xab,0xd7, + 0xd9,0xf0,0x49,0x91,0x2a,0xbe,0xda,0x33,0x8e,0xfa,0x2f,0x52,0x13,0x06,0x77,0x77, + 0xed,0xd9,0x1b,0x75,0x76,0xf5,0xe6,0xfa,0x73,0x98,0x69,0x65,0x99,0x37,0x9e,0xd7, + 0x50,0x28,0xcb,0x8d,0xb6,0x9f,0xa9,0x6d,0xe7,0xdb,0xc6,0xde,0x7c,0xa1,0x28,0xdd, + 0x51,0xea,0x33,0x4e,0x8c,0xd9,0xcd,0x8f,0xda,0xef,0xbf,0x53,0xfc,0x82,0x5e,0xae, + 0x83,0x6b,0x6c,0x6c,0xd7,0x00,0x39,0xa7,0x7e,0x42,0x0d,0x99,0x9b,0x57,0xca,0xae), + .s = chunk_from_chars( + 0x91,0x3f,0xc1,0x18,0xd5,0xac,0x1e,0xdf,0xfb,0x4b,0x8f,0xcf,0xa4,0xe8,0x59,0x86, + 0xb4,0x62,0x31,0xce,0xf3,0xda,0xd9,0x11,0xd5,0xe9,0x53,0x4c,0xc8,0x82,0x61,0xf6, + 0xb6,0x96,0x9b,0x75,0xa3,0xf2,0x5d,0x83,0xec,0xe7,0xec,0x20,0x34,0xb0,0x1d,0x3b, + 0x2b,0xe6,0xc5,0xbd,0x95,0x8c,0xc4,0xaf,0xcd,0x44,0x83,0x9e,0x39,0x53,0xf0,0x1e, + 0x4a,0x15,0xea,0x5e,0xf6,0xe1,0xb4,0xb0,0xe8,0xae,0x90,0xbd,0xfd,0x40,0x41,0x99, + 0xe8,0xf8,0x65,0x47,0xf6,0x7f,0xf6,0xb8,0x4f,0x21,0x62,0xc4,0x31,0x1c,0xc9,0xee, + 0xe0,0x6b,0xfb,0x2f,0xe4,0x61,0x98,0xaf,0xb9,0x74,0x5d,0x9c,0x44,0x38,0x33,0xbf, + 0x23,0x87,0xeb,0x92,0x40,0x6a,0x63,0x39,0x52,0x13,0x96,0xf2,0xcb,0xda,0x55,0xd9, + 0x8f,0xe6,0x40,0x74,0xd2,0xf2,0xe2,0x7b,0x8b,0xc6,0xa7,0x9b,0xe3,0xd1,0xcc,0x56, + 0x88,0x69,0xb0,0xb5,0x0f,0xcb,0xf7,0x02,0xb0,0x83,0x16,0x68,0xfb,0xfd,0xed,0xc2, + 0xd1,0xb5,0x49,0x1e,0x8e,0xc6,0x23,0xed,0xeb,0x60,0xac,0x87,0x0e,0x6e,0x8d,0x05, + 0x85,0x93,0xfb,0xbc,0x93,0x8f,0xbf,0x74,0x17,0x00,0xef,0xc2,0xb2,0x46,0x7e,0x7e, + 0xb2,0x54,0xae,0x00,0x85,0x09,0xe9,0x16,0x07,0xf8,0xe5,0x0a,0xa1,0x6a,0x4e,0x85, + 0x1a,0xbc,0xa7,0xc8,0xd2,0x0c,0x6f,0xf6,0x1c,0xfe,0xe6,0xc1,0xfb,0x67,0x60,0x98, + 0xe5,0xcd,0xf1,0x27,0xc9,0xb7,0x95,0x38,0xfd,0x1e,0x6c,0x01,0x41,0x61,0x05,0x4c, + 0xaf,0x43,0xb7,0x34,0xfa,0x69,0xfe,0x06,0xa0,0x0d,0x76,0xf7,0x10,0xac,0xc1,0x98, + 0xf3,0xda,0x90,0x6a,0x7d,0x2e,0x73,0xa2,0xca,0x88,0x25,0x26,0xcc,0x35,0x4d,0xd7, + 0x63,0x0a,0x30,0x3d,0x8f,0x32,0xc6,0x55,0xb5,0xb3,0x3c,0xf7,0x88,0x59,0xbe,0xea, + 0xba,0x3f,0x9a,0xe0,0x52,0xc8,0xd7,0x47,0x1c,0xd2,0xbd,0x9e,0xdf,0x42,0xfd,0x8f, + 0x70,0xc3,0xb0,0xaa,0x79,0xc0,0x76,0x92,0x80,0x68,0xca,0x97,0x70,0x95,0x9a,0xfa, + 0x63,0x2c,0xa6,0xaa,0xba,0x66,0x79,0xe4,0x5d,0x68,0x88,0xc5,0x01,0x25,0xa7,0x3b, + 0x9d,0xeb,0x00,0xd4,0x2a,0x12,0x5f,0x25,0xdf,0x54,0x34,0xbe,0xff,0x0d,0x5b,0x0e, + 0xe1,0x3a,0x16,0xb1,0x70,0x45,0xce,0xce,0x0f,0x2d,0xa7,0x57,0x7d,0x79,0xd7,0xcd, + 0x75,0xa4,0xb6,0xc5,0xbc,0x34,0x5f,0x46,0x0a,0x17,0x34,0x87,0xb5,0x1b,0xc6,0xa6), + }, +}; + +START_TEST(test_sign_pss_3072) +{ + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + if (!pss_salt_supported) + { + warn("static salt for %N not supported, skip test", + signature_scheme_names, SIGN_RSA_EMSA_PSS); + return; + } + fail_unless(privpss_3072->sign(privpss_3072, SIGN_RSA_EMSA_PSS, + &pss_sign_3072[_i].params, pss_sign_3072[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_3072[_i].s, sig); + fail_unless(pubpss_3072->verify(pubpss_3072, SIGN_RSA_EMSA_PSS, + &pss_sign_3072[_i].params, pss_sign_3072[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 (those with 0 salt are 3072-bit verify vectors) + */ +static struct { + rsa_pss_params_t params; + chunk_t n; + chunk_t d; + chunk_t e; + chunk_t m; + chunk_t s; +} pss_sign_ns[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xce,0x49,0x24,0xff,0x47,0x0f,0xb9,0x9d,0x17,0xf6,0x65,0x95,0x56,0x1a,0x74,0xde, + 0xd2,0x20,0x92,0xd1,0xdc,0x27,0x12,0x2a,0xe1,0x5c,0xa8,0xca,0xc4,0xbf,0xae,0x11, + 0xda,0xa9,0xe3,0x7a,0x94,0x14,0x30,0xdd,0x1b,0x81,0xaa,0xf4,0x72,0xf3,0x20,0x83, + 0x5e,0xe2,0xfe,0x74,0x4c,0x83,0xf1,0x32,0x08,0x82,0xa8,0xa0,0x23,0x16,0xce,0xb3, + 0x75,0xf5,0xc4,0x90,0x92,0x32,0xbb,0x2c,0x65,0x20,0xb2,0x49,0xc8,0x8b,0xe4,0xf4, + 0x7b,0x8b,0x86,0xfd,0xd9,0x36,0x78,0xc6,0x9e,0x64,0xf5,0x00,0x89,0xe9,0x07,0xa5, + 0x50,0x4f,0xdd,0x43,0xf0,0xca,0xd2,0x4a,0xaa,0x9e,0x31,0x7e,0xf2,0xec,0xad,0xe3, + 0xb5,0xc1,0xfd,0x31,0xf3,0xc3,0x27,0xd7,0x0a,0x0e,0x2d,0x48,0x67,0xe6,0xfe,0x3f, + 0x26,0x27,0x2e,0x8b,0x6a,0x3c,0xce,0x17,0x84,0x3e,0x35,0x9b,0x82,0xeb,0x7a,0x4c, + 0xad,0x8c,0x42,0x46,0x01,0x79,0xcb,0x6c,0x07,0xfa,0x25,0x2e,0xfa,0xec,0x42,0x8f, + 0xd5,0xca,0xe5,0x20,0x8b,0x29,0x8b,0x25,0x51,0x09,0x02,0x6e,0x21,0x27,0x24,0x24, + 0xec,0x0c,0x52,0xe1,0xe5,0xf7,0x2c,0x5a,0xb0,0x6f,0x5d,0x2a,0x05,0xe7,0x7c,0x19, + 0x3b,0x64,0x7e,0xc9,0x48,0xbb,0x84,0x4e,0x0c,0x2e,0xf1,0x30,0x7f,0x53,0xcb,0x80, + 0x0d,0x4f,0x55,0x52,0x3d,0x86,0x03,0x8b,0xb9,0xe2,0x10,0x99,0xa8,0x61,0xb6,0xb9, + 0xbc,0xc9,0x69,0xe5,0xdd,0xdb,0xdf,0x71,0x71,0xb3,0x7d,0x61,0x63,0x81,0xb7,0x8c, + 0x3b,0x22,0xef,0x66,0x51,0x0b,0x27,0x65,0xd9,0x61,0x75,0x56,0xb1,0x75,0x59,0x98, + 0x79,0xd8,0x55,0x81,0x00,0xad,0x90,0xb8,0x30,0xe8,0x7a,0xd4,0x60,0xa2,0x21,0x08, + 0xba,0xa5,0xed,0x0f,0x2b,0xa9,0xdf,0xc0,0x51,0x67,0xf8,0xab,0x61,0xfc,0x9f,0x8a, + 0xe0,0x16,0x03,0xf9,0xdd,0x5e,0x66,0xce,0x1e,0x64,0x2b,0x60,0x4b,0xca,0x92,0x94, + 0xb5,0x7f,0xb7,0xc0,0xd8,0x3f,0x05,0x4b,0xac,0xf4,0x45,0x4c,0x29,0x8a,0x27,0x2c, + 0x44,0xbc,0x71,0x8f,0x54,0x60,0x5b,0x91,0xe0,0xbf,0xaf,0xd7,0x72,0xae,0xba,0xf3, + 0x82,0x88,0x46,0xc9,0x30,0x18,0xf9,0x8e,0x31,0x57,0x08,0xd5,0x0b,0xe8,0x40,0x1e, + 0xb9,0xa8,0x77,0x8d,0xcb,0xd0,0xd6,0xdb,0x93,0x70,0x86,0x04,0x11,0xb0,0x04,0xcd, + 0x37,0xfb,0xb8,0xb5,0xdf,0x87,0xed,0xee,0x7a,0xae,0x94,0x9f,0xff,0x34,0x60,0x7b), + .d = chunk_from_chars( + 0x25,0x8f,0x08,0x40,0x36,0xb7,0xff,0xda,0x1d,0x0a,0xa0,0x37,0x3a,0x50,0x01,0x1d, + 0xd9,0x76,0xb7,0xfd,0x0e,0xe4,0xb8,0x89,0x65,0x4b,0x04,0x4a,0xb2,0x41,0xfb,0x75, + 0x46,0x75,0x46,0x69,0x09,0x42,0x9b,0x1a,0xcb,0xa9,0xd9,0xc1,0xab,0xf2,0xe9,0xbb, + 0x49,0x4c,0xea,0x81,0xc4,0xba,0x10,0xdc,0xd1,0x03,0x6f,0x36,0xea,0x81,0xdc,0x24, + 0xce,0x98,0x3e,0x3a,0xe7,0xda,0x7c,0xf8,0x10,0xdd,0xc0,0x5c,0x96,0xf9,0xcc,0x3a, + 0x90,0x46,0xfd,0xf5,0x8c,0x99,0x02,0x17,0x2c,0x7e,0x53,0xa1,0xbc,0xed,0x1b,0x78, + 0x84,0xf7,0x28,0x13,0x3b,0xe9,0xb4,0xa9,0x11,0x02,0x3e,0x31,0x59,0xd5,0xf2,0x52, + 0xf4,0x07,0xa8,0x08,0x0c,0x88,0xf1,0x22,0xcf,0x4a,0x9e,0x53,0xf1,0x03,0xae,0xcb, + 0x41,0x2c,0xd4,0x4d,0x9d,0x53,0xc1,0x45,0x75,0x7b,0x14,0xeb,0x85,0xa5,0xb0,0xd7, + 0xf8,0xbe,0x88,0xc5,0x6b,0xb0,0x0e,0x73,0x57,0xd4,0x3d,0x6a,0x82,0x89,0x53,0xf9, + 0x31,0x24,0xd1,0xb3,0x9c,0x0c,0xc1,0x37,0xdf,0xf2,0x97,0x2a,0x40,0x2e,0xbf,0xe2, + 0x9e,0xb6,0x14,0xc6,0x57,0x8e,0x10,0x2c,0x61,0xa6,0x00,0x18,0x33,0x32,0x3d,0x4b, + 0x79,0xbe,0xe1,0x01,0xe7,0x6a,0x9c,0x59,0xa3,0x58,0x47,0x1b,0x62,0x25,0x68,0x85, + 0x84,0xfb,0xdd,0x79,0x0a,0x1e,0x38,0xa6,0x0a,0x5f,0x8b,0xf6,0x47,0xf7,0x37,0x46, + 0x80,0xaa,0x1d,0x6c,0xc0,0x37,0x2f,0xd1,0x2e,0xf2,0x33,0xbf,0x6b,0xf7,0x26,0xfa, + 0x4a,0xf4,0x5e,0x1e,0xad,0x9b,0x58,0xdf,0x08,0xf6,0x2a,0xa7,0x6f,0xe9,0xfd,0x9b, + 0xb1,0xa9,0x75,0xbb,0x1c,0x4d,0xdb,0x9b,0x00,0x54,0x53,0xf9,0x57,0xdf,0xe4,0x14, + 0x8d,0x26,0x44,0xc1,0xc4,0x90,0x87,0x74,0x31,0xb6,0x7e,0x97,0x5c,0x5e,0x02,0xb2, + 0xdc,0x40,0x8d,0xe0,0x9e,0x53,0x1c,0x05,0xc0,0x51,0x73,0x11,0xa5,0xcf,0xeb,0x41, + 0x65,0xb5,0xf4,0x40,0x60,0xbb,0x34,0x33,0xff,0xf6,0xee,0x8f,0x0a,0xd3,0xf5,0x59, + 0xb8,0x45,0x8f,0x20,0xcb,0xdc,0xa8,0x46,0x49,0xf0,0xc8,0xa3,0xb6,0x98,0x9f,0x67, + 0x6b,0xc0,0xfe,0x46,0x91,0x03,0x2d,0x2a,0x08,0x97,0x8f,0x90,0x53,0xab,0xf2,0x1c, + 0x1d,0x08,0x1f,0x8e,0xc3,0x27,0x35,0xdd,0x1f,0xf0,0x40,0x7c,0x33,0x02,0xbf,0x55, + 0xd1,0x67,0x19,0x7d,0xbe,0x92,0xc6,0x78,0x29,0x4d,0x5f,0x1f,0x83,0x2d,0xa5,0xbb), + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x08,0x97,0xd4,0x0e,0x7c,0x0f,0x2d,0xfc,0x07,0xb0,0xc7,0xfd,0xda,0xf5,0xfd,0x8f, + 0xcc,0x6a,0xf9,0xc1,0xfd,0xc1,0x7b,0xeb,0xb9,0x23,0xd5,0x9c,0x9f,0xc4,0x3b,0xd4, + 0x02,0xba,0x39,0x73,0x8f,0x0f,0x85,0xf2,0x30,0x15,0xf7,0x51,0x31,0xf9,0xd6,0x50, + 0xa2,0x9b,0x55,0xe2,0xfc,0x9d,0x5d,0xdf,0x07,0xbb,0x8d,0xf9,0xfa,0x5a,0x80,0xf1, + 0xe4,0x63,0x4e,0x0b,0x4c,0x51,0x55,0xbf,0x14,0x89,0x39,0xb1,0xa4,0xea,0x29,0xe3, + 0x44,0xa6,0x64,0x29,0xc8,0x50,0xfc,0xde,0x73,0x36,0xda,0xd6,0x16,0xf0,0x03,0x93, + 0x78,0x39,0x1a,0xbc,0xfa,0xfe,0x25,0xca,0x7b,0xb5,0x94,0x05,0x7a,0xf0,0x7f,0xaf, + 0x7a,0x32,0x2f,0x7f,0xab,0x01,0xe0,0x51,0xc6,0x3c,0xc5,0x1b,0x39,0xaf,0x4d,0x23), + .s = chunk_from_chars( + 0x8e,0xbe,0xd0,0x02,0xd4,0xf5,0x4d,0xe5,0x89,0x8a,0x5f,0x2e,0x69,0xd7,0x70,0xed, + 0x5a,0x5c,0xe1,0xd4,0x5a,0xd6,0xdd,0x9c,0xe5,0xf1,0x17,0x9d,0x1c,0x46,0xda,0xa4, + 0xd0,0x39,0x4e,0x21,0xa9,0x9d,0x80,0x33,0x58,0xd9,0xab,0xfd,0x23,0xbb,0x53,0x16, + 0x63,0x94,0xf9,0x97,0xb9,0x09,0xe6,0x75,0x66,0x20,0x66,0x32,0x4c,0xa1,0xf2,0xb7, + 0x31,0xde,0xba,0x17,0x05,0x25,0xc4,0xee,0x8f,0xa7,0x52,0xd2,0xd7,0xf2,0x01,0xb1, + 0x02,0x19,0x48,0x9f,0x57,0x84,0xe3,0x99,0xd9,0x16,0x30,0x2f,0xd4,0xb7,0xad,0xf8, + 0x84,0x90,0xdf,0x87,0x65,0x01,0xc4,0x67,0x42,0xa9,0x3c,0xfb,0x3a,0xaa,0xb9,0x60, + 0x2e,0x65,0xd7,0xe6,0x0d,0x7c,0x4c,0xea,0xdb,0x7e,0xb6,0x7e,0x42,0x1d,0x18,0x03, + 0x23,0xa6,0xd3,0x8f,0x38,0xb9,0xf9,0x99,0x21,0x3e,0xbf,0xcc,0xc7,0xe0,0x4f,0x06, + 0x0f,0xbd,0xb7,0xc2,0x10,0x20,0x65,0x22,0xb4,0x94,0xe1,0x99,0xe9,0x8c,0x6c,0x24, + 0xe4,0x57,0xf8,0x69,0x66,0x44,0xfd,0xca,0xeb,0xc1,0xb9,0x03,0x1c,0x81,0x83,0x22, + 0xc2,0x9d,0x13,0x5e,0x11,0x72,0xfa,0x0f,0xdf,0x7b,0xe1,0x00,0x7d,0xab,0xca,0xab, + 0x49,0x66,0x33,0x2e,0x7e,0xa1,0x45,0x6b,0x6c,0xe8,0x79,0xcd,0x91,0x0c,0x91,0x10, + 0x10,0x4f,0xc7,0xd3,0xdc,0xab,0x07,0x6f,0x2b,0xd1,0x82,0xbb,0x83,0x27,0xa8,0x63, + 0x25,0x45,0x70,0xcd,0xf2,0xab,0x38,0xe0,0xcd,0xa3,0x17,0x79,0xde,0xaa,0xd6,0x16, + 0xe3,0x43,0x7e,0xd6,0x59,0xd7,0x4e,0x5a,0x4e,0x04,0x5a,0x70,0x13,0x38,0x90,0xb8, + 0x1b,0xc4,0xf2,0x4a,0xb6,0xda,0x67,0xa2,0xee,0x0c,0xe1,0x5b,0xab,0xa3,0x37,0xd0, + 0x91,0xcb,0x5a,0x1c,0x44,0xda,0x69,0x0f,0x81,0x14,0x5b,0x02,0x52,0xa6,0x54,0x9b, + 0xbb,0x20,0xcd,0x5c,0xc4,0x7a,0xfe,0xc7,0x55,0xeb,0x37,0xfe,0xd5,0x5a,0x9a,0x33, + 0xd3,0x65,0x57,0x42,0x45,0x03,0xd8,0x05,0xa0,0xa1,0x20,0xb7,0x69,0x41,0xf4,0x15, + 0x0d,0x89,0x34,0x2d,0x7a,0x7f,0xa3,0xa2,0xb0,0x8c,0x51,0x5e,0x6f,0x68,0x42,0x9c, + 0xf7,0xaf,0xd1,0xa3,0xfc,0xe0,0xf4,0x28,0x35,0x1a,0x6f,0x9e,0xda,0x3a,0xb2,0x4a, + 0x7e,0xf5,0x91,0x99,0x4c,0x21,0xfb,0xf1,0x00,0x1f,0x99,0x23,0x9e,0x88,0x34,0x0f, + 0x9b,0x35,0x9e,0xc7,0x2e,0x8a,0x21,0x2a,0x19,0x20,0xe6,0xcf,0x99,0x3f,0xf8,0x48), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0x9c,0x21,0x3e,0xa3,0x73,0x63,0x1f,0x57,0x2e,0x5e,0x46,0x22,0x5b,0x95,0xa0,0xf5, + 0xea,0x8a,0xb0,0xa5,0xec,0x70,0x90,0xa3,0xb0,0x18,0x1c,0x59,0x06,0xdc,0x22,0xfd, + 0x1b,0xd7,0x3d,0x11,0x47,0x12,0x42,0xa2,0xed,0x18,0x24,0xe6,0x01,0x01,0x7f,0x5b, + 0x53,0x54,0xb9,0x2f,0xdb,0x43,0xd4,0xda,0x00,0xa8,0x24,0x27,0xd0,0x53,0x66,0xa4, + 0xd5,0x52,0xc4,0x0d,0x69,0xd2,0x00,0x48,0x5d,0x5d,0x5d,0xb8,0x3c,0xf5,0x23,0xe6, + 0x1a,0x83,0x4b,0x40,0xcc,0xd4,0x01,0x08,0x7f,0xbb,0x93,0xd8,0x1d,0xbe,0xd7,0xb2, + 0xee,0x23,0x81,0xa1,0x24,0x1a,0xc6,0x8f,0x2a,0xfc,0x02,0x15,0x7e,0xe0,0xc7,0x3c, + 0xc6,0x6c,0x02,0xa6,0xc6,0xeb,0x2d,0xc3,0x51,0x45,0xae,0x55,0xd7,0x70,0x84,0x12, + 0xa3,0x41,0x0f,0x20,0x4c,0x49,0x23,0x76,0xd6,0x31,0x5c,0xed,0xf2,0x53,0xaf,0x91, + 0xf3,0x1d,0xca,0xb3,0x4f,0x72,0xc2,0x06,0xad,0x81,0xe8,0x00,0x50,0x98,0x64,0xfe, + 0x92,0x55,0xd0,0x46,0xac,0x25,0xdb,0xdf,0x49,0x54,0xd2,0x35,0x03,0x24,0x72,0x2e, + 0x73,0xc1,0xf2,0x5d,0x08,0x9f,0x87,0x54,0x2a,0xd9,0x07,0xfb,0x37,0xec,0xea,0xef, + 0xb3,0x30,0xf4,0x32,0x5e,0x97,0xf5,0xea,0xbc,0x04,0x09,0x6a,0x8f,0xab,0xba,0x97, + 0x85,0x89,0xe3,0x55,0x44,0x5d,0x95,0x43,0x27,0x4c,0x1c,0x38,0xff,0x84,0x9b,0xa8, + 0xc2,0x91,0x1f,0x07,0x03,0x06,0x34,0xc1,0x32,0xcc,0xaf,0x4e,0x4f,0x57,0xa5,0xad, + 0x92,0x44,0xf5,0xdf,0x0e,0xe2,0x5a,0xf8,0xef,0x2f,0xc7,0xb2,0x9f,0xdf,0x7c,0xc1, + 0x84,0x04,0xe2,0x0e,0xfa,0xaf,0xfa,0x45,0x1e,0xc4,0x1a,0xb8,0x38,0xd5,0x94,0x90, + 0x6f,0xf2,0xca,0xd5,0x2d,0xcb,0xd0,0xe9,0xa6,0x8e,0xf7,0xb0,0x6c,0x25,0x37,0x10, + 0xe1,0x31,0x8d,0x09,0xad,0x07,0x01,0x27,0x67,0xa8,0x91,0x24,0x17,0x7d,0xf5,0x0d, + 0x16,0x84,0x67,0x9e,0x14,0x30,0x68,0x89,0xd9,0xa7,0xac,0x51,0x43,0xd4,0x86,0x1b, + 0x7d,0x6a,0xe7,0x79,0x92,0xef,0xa7,0x3e,0x0a,0xba,0x9d,0xa0,0xad,0x9a,0x68,0x88, + 0xbc,0x80,0x4d,0xbd,0x07,0xbc,0x26,0xa8,0xa5,0xdf,0xbd,0x29,0x2a,0x0e,0xfa,0x96, + 0x86,0x7f,0xdb,0x92,0xe8,0x45,0xc3,0x6e,0x34,0x33,0xcf,0x29,0x2e,0x0e,0x31,0x66, + 0x24,0x80,0x25,0x7f,0xcf,0x46,0x6f,0x7f,0x65,0xd8,0x14,0xbb,0x3e,0x33,0x99,0x2f), + .d = chunk_from_chars( + 0x3e,0xac,0x18,0x66,0xe2,0x35,0xd6,0x4b,0x9a,0x04,0xd7,0x3c,0x3f,0x49,0x70,0x7f, + 0x53,0x06,0xef,0x23,0x6f,0xcd,0xdb,0x7d,0xec,0x19,0x14,0x8a,0x4b,0xf3,0x48,0x28, + 0xc2,0x9b,0xc5,0x0e,0x75,0xa0,0xdc,0x38,0xd2,0x67,0x1b,0x50,0x28,0x59,0x61,0x8b, + 0xf3,0xf7,0xe5,0xf8,0x71,0x30,0x5a,0xd1,0xdf,0x49,0x72,0x75,0xb6,0x2d,0x36,0x03, + 0x1d,0xf6,0xc9,0x5c,0x9b,0x9d,0x68,0x73,0xa4,0x20,0x66,0x40,0x48,0x26,0x40,0x78, + 0x80,0x19,0x4c,0x61,0x13,0x2c,0x03,0x3c,0x76,0xac,0x16,0x9a,0xd4,0x01,0xcb,0x6e, + 0xd7,0x16,0xe7,0x02,0xbb,0xe3,0x16,0x11,0x72,0x9f,0x3a,0xca,0x1f,0x54,0x38,0xc6, + 0xb7,0x25,0xd9,0x01,0x17,0xca,0x53,0xe2,0x59,0xce,0x65,0xad,0x2f,0xbc,0x8a,0x1a, + 0x30,0xfa,0xa6,0x06,0xc3,0xb9,0x7f,0x1a,0xba,0xc5,0xa9,0x01,0x0f,0xa0,0x78,0x8e, + 0x9d,0x74,0x04,0xfd,0xcf,0xdc,0x55,0xf9,0xec,0x8e,0x91,0xaa,0x5f,0xdd,0x54,0xec, + 0x93,0x25,0xf0,0x21,0x48,0xc7,0xc5,0xdb,0x18,0xfe,0x52,0xed,0x62,0x75,0x8f,0xcd, + 0xb9,0x63,0x72,0x69,0x3f,0x99,0x8b,0x53,0x46,0x5a,0x97,0xca,0xcb,0x3b,0xbd,0x4d, + 0x0b,0xc3,0xd8,0x73,0x16,0x18,0xa2,0x78,0xe8,0x42,0x26,0x0e,0xaa,0xe8,0xdf,0x65, + 0xbe,0x8b,0xb9,0xf6,0xf0,0x85,0x22,0x0a,0x06,0x2a,0x11,0x77,0xf1,0x09,0x2a,0x9e, + 0xbd,0x46,0x71,0x35,0x0f,0xb0,0x5d,0x0c,0x89,0x3c,0x07,0xd8,0x36,0xe3,0x7e,0x73, + 0xc0,0x92,0xac,0x42,0x6e,0x63,0x0e,0x9b,0x6c,0xde,0xf3,0x6d,0x32,0x6c,0xd3,0x0e, + 0x5e,0xd8,0xff,0x37,0xce,0xd3,0x5c,0x4a,0xc4,0x7c,0xf0,0x12,0x61,0x61,0x6e,0xdd, + 0xb1,0x91,0x95,0x7e,0xaa,0x38,0xb2,0x60,0x0e,0x08,0xe7,0x84,0xb2,0x18,0x92,0x48, + 0xcf,0x40,0xf9,0xde,0xe6,0x5f,0x06,0x6a,0x8f,0x1e,0xe1,0x02,0x8d,0xe6,0x01,0xb6, + 0xbc,0x29,0x91,0x5b,0x9c,0xba,0xee,0xc2,0xdc,0x4f,0xe7,0xb1,0x3b,0x84,0x0c,0xf7, + 0x9a,0x4d,0x93,0xb0,0xc9,0xf4,0x7b,0x64,0x47,0xc3,0xf1,0xf8,0x32,0xdc,0x8c,0xf7, + 0xe5,0xf9,0x8f,0x68,0xf9,0x7c,0xc5,0xd9,0x93,0x46,0xb1,0x24,0x23,0x52,0xf7,0x4d, + 0x94,0xa7,0x27,0xa5,0x30,0x3b,0x99,0x67,0x0b,0xb8,0x34,0x19,0x25,0x5a,0xc5,0x12, + 0x70,0xbb,0xe5,0xd8,0x13,0x28,0x40,0x26,0x14,0xba,0xe1,0xc8,0x23,0x64,0x08,0xd9), + .e = chunk_from_chars(0xef,0xab,0xb9), + .m = chunk_from_chars( + 0x3a,0xbd,0x43,0xf1,0xd7,0x41,0xdd,0xf0,0xb7,0x52,0xdd,0x94,0x19,0x7a,0xb6,0x56, + 0x28,0x8f,0xf4,0x65,0xe5,0xdb,0xcc,0xec,0x61,0x79,0xf8,0x93,0x2f,0x02,0xc2,0x48, + 0x19,0x6a,0x5e,0x3f,0x12,0x24,0x7c,0x37,0x6c,0x8d,0x1e,0x00,0x4b,0x87,0xa7,0x3a, + 0x5a,0x64,0x35,0x5f,0xbc,0x07,0x31,0x04,0x46,0x45,0x25,0x5b,0xeb,0x91,0xcd,0xfd, + 0x77,0xd9,0x70,0xe6,0x81,0xab,0x70,0xc1,0x9a,0x9c,0x21,0x67,0xcb,0xea,0xd7,0xa2, + 0x3f,0x60,0x43,0x36,0x3c,0x7a,0xff,0x22,0x58,0xca,0x67,0x23,0xe9,0x9a,0xab,0x7a, + 0xbd,0xd3,0x22,0xef,0x0b,0x1e,0xe1,0x16,0xaa,0x48,0x8d,0xd1,0x81,0xeb,0x6d,0x16, + 0x3f,0x4b,0xc3,0xf2,0x4c,0x7e,0x5d,0xce,0xff,0xd0,0x67,0xf2,0x11,0x65,0x83,0x47), + .s = chunk_from_chars( + 0x47,0x40,0x11,0x5f,0x25,0x1b,0x35,0xcf,0xe1,0x9d,0x38,0x16,0xcc,0x1f,0xbf,0x02, + 0xb9,0xa4,0xd9,0x47,0x0d,0xc6,0x2b,0x41,0xcd,0xb7,0x22,0x84,0xc3,0x0f,0xff,0xd3, + 0x4e,0x70,0x57,0x55,0x9a,0x73,0xb4,0x4a,0xc4,0x9f,0xa7,0x28,0x5f,0x3e,0x9a,0x68, + 0x0b,0xf1,0x94,0x95,0x62,0xa4,0x7f,0x01,0xbf,0xc5,0x5e,0xb7,0xbd,0xa9,0xe2,0x91, + 0xc9,0xa5,0xce,0x1a,0x5d,0x7b,0x61,0x95,0x90,0xc0,0xe1,0xbd,0x36,0x94,0x3f,0xa4, + 0x1b,0x9c,0xc9,0xb2,0xa3,0xa7,0x42,0xc2,0x94,0x2c,0x53,0xec,0x3e,0x45,0xc7,0x71, + 0x76,0xe4,0xbf,0x32,0xb7,0x10,0x1a,0xb4,0xb0,0x5a,0x99,0x6a,0x21,0xfe,0x12,0x92, + 0x18,0x41,0xf8,0xf0,0xfa,0xd1,0xe7,0x1b,0xde,0xff,0x5a,0x7f,0x53,0xe8,0x76,0x63, + 0x67,0x31,0x1a,0x98,0xb9,0xd8,0x61,0x8a,0x61,0x98,0xaa,0x16,0x62,0xe5,0x87,0x33, + 0x2c,0x24,0x28,0x3f,0x9e,0xcf,0x2b,0xb2,0xd8,0x25,0xf5,0x97,0xd1,0x82,0x56,0xce, + 0x9c,0x58,0x64,0xf1,0xff,0xca,0x37,0xc4,0xec,0x8d,0xf4,0xf9,0x45,0xcf,0x22,0xc9, + 0x74,0xf5,0xef,0x3d,0xbb,0x9f,0x17,0x0b,0x39,0x78,0xbd,0xdc,0xc9,0x1b,0x13,0xb9, + 0xe8,0x55,0x0b,0xfc,0xdb,0x74,0xac,0x73,0x49,0xd5,0x31,0xe1,0xe3,0x28,0x0f,0xc0, + 0x05,0xac,0x34,0xc0,0x36,0x08,0x99,0x3b,0x78,0x76,0xca,0xf2,0x7c,0x8b,0xd5,0xa9, + 0x73,0x06,0x29,0x20,0x82,0xf7,0x7d,0x91,0x44,0x00,0x5b,0xcd,0x10,0x46,0xf2,0x73, + 0x03,0x18,0x5b,0x6a,0x7c,0xac,0x53,0x9f,0x1e,0x05,0x80,0x5e,0xe8,0xd0,0x77,0x2f, + 0x37,0xac,0xc3,0xe7,0xfa,0x09,0x20,0x17,0x1c,0x19,0xec,0x92,0x66,0xc4,0xdd,0x6d, + 0x9e,0x51,0x76,0x6c,0x44,0x33,0xa2,0x83,0x1c,0x3e,0x5f,0xb7,0xd8,0x43,0x41,0x62, + 0x4e,0xa9,0xa2,0x5e,0x1a,0x2e,0xb2,0x7e,0xf2,0xc7,0xe8,0xde,0x49,0x1d,0x94,0xd8, + 0xa8,0xa3,0x19,0x19,0xbd,0xd7,0xcd,0xf6,0x07,0x3a,0x1d,0x88,0xf4,0x52,0xff,0x8d, + 0x15,0xe5,0x7c,0xf6,0x50,0x4a,0x81,0x84,0x3c,0x24,0x35,0x1c,0x61,0xa3,0x73,0xb7, + 0x3a,0xcd,0x84,0xc7,0x6d,0xe9,0x16,0xf2,0x90,0xe0,0xe9,0xbd,0xf5,0x1d,0x8f,0xfa, + 0x63,0xf8,0x67,0xaf,0x58,0x7b,0x5c,0x75,0x91,0x11,0x67,0x10,0x79,0xea,0x28,0x84, + 0x64,0x66,0xcc,0x33,0xdf,0x76,0x83,0x63,0x9d,0x01,0x83,0x37,0xeb,0xe1,0x3c,0xb8), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xcd,0x61,0x41,0xe4,0xc8,0xdc,0x69,0x97,0xfc,0x65,0x30,0x0a,0x6e,0x2c,0x74,0x6f, + 0x39,0x10,0x22,0xf1,0x56,0x61,0x23,0x1a,0x83,0x2b,0xe9,0x66,0xaa,0x49,0x8e,0x67, + 0x87,0x77,0x76,0x69,0x44,0xdb,0x54,0xa5,0x99,0xcd,0x6d,0xdb,0xda,0xf7,0x53,0x3f, + 0x42,0x9e,0x6e,0x11,0x97,0xb7,0xeb,0x06,0x19,0x13,0xf5,0x0b,0x09,0xbe,0x04,0xab, + 0x70,0xb1,0xb7,0x02,0xfc,0xe9,0xad,0xa2,0x79,0xea,0x80,0x89,0x67,0x7a,0x37,0x70, + 0x1e,0x64,0x19,0x0f,0x24,0x3d,0xfa,0xbe,0x7c,0xc2,0x54,0xf0,0x8a,0x61,0x43,0xc9, + 0xc5,0x89,0xac,0x4a,0x90,0x88,0x1c,0x0d,0x2b,0x62,0xe9,0x80,0x13,0xe9,0x2d,0x04, + 0x9e,0xe9,0xca,0x11,0xa4,0x25,0xad,0x45,0x0e,0xc5,0xa6,0x99,0xae,0x17,0x67,0x2d, + 0x86,0xef,0xde,0x3f,0xbc,0x81,0x20,0x3f,0x2b,0x50,0x0e,0xf4,0x17,0x46,0xb9,0xe9, + 0xaf,0x26,0x42,0xb3,0x0c,0xbf,0x75,0xe7,0x88,0x9e,0x50,0x08,0x36,0xd6,0xdd,0x32, + 0xbc,0xc5,0xd8,0xb6,0x90,0x21,0xb7,0x64,0xa5,0x91,0xd6,0x85,0x07,0x76,0xcd,0xdf, + 0x0b,0x72,0x40,0xc7,0x5d,0xda,0x9e,0x2d,0x19,0x7f,0x2c,0xd9,0xc6,0x78,0x7b,0x16, + 0x44,0x5b,0x55,0xea,0xec,0xcd,0xfd,0xd1,0x7f,0xb7,0x2d,0x7f,0xe5,0x18,0x9a,0xa1, + 0xa2,0xa6,0xad,0x06,0xb4,0xf2,0xbf,0xc8,0xf6,0xc9,0x1c,0x3a,0x2a,0x80,0xa8,0x3a, + 0x31,0x13,0xe0,0xb4,0x20,0xb7,0x06,0x54,0xd6,0xa5,0x07,0x5d,0x38,0xd9,0xa1,0x2d, + 0x1e,0x0f,0xdd,0xd2,0xcb,0x23,0xb7,0xf3,0xef,0x94,0x99,0x91,0xbf,0x49,0x04,0x8d, + 0xc4,0x00,0x20,0xdc,0xf0,0x42,0xca,0xf0,0x08,0x83,0x36,0x35,0x91,0xdd,0x6a,0x90, + 0x78,0x9a,0xc2,0x12,0xa0,0xce,0xd9,0x5f,0xb4,0x0b,0xca,0xda,0xac,0x2c,0x97,0xee, + 0x7f,0xf3,0x02,0xc3,0x7c,0xf2,0xaa,0x72,0x98,0x31,0x1d,0xb8,0x5a,0x2d,0x4d,0x1b, + 0x9f,0x03,0x70,0x23,0xc2,0x1b,0xf2,0xe9,0xb9,0xab,0xec,0xc7,0x80,0xa7,0x0c,0xf2, + 0xa5,0x40,0x02,0x63,0x42,0x72,0xd7,0xdc,0xf2,0x5e,0xe4,0xc7,0xdb,0xb0,0x44,0x37, + 0xf3,0x0f,0x50,0xbd,0xcf,0x49,0x62,0xd4,0x32,0x48,0x4a,0x5d,0xab,0x7b,0x60,0xb3, + 0x1d,0x80,0x25,0xb9,0x84,0xc8,0x21,0xfa,0xdb,0xf2,0xb6,0x23,0xf2,0xf9,0x2a,0x65, + 0x31,0xdc,0xe1,0x1a,0x1f,0x25,0x2e,0x60,0x30,0x16,0x07,0x8f,0x39,0x86,0xe0,0x81), + .d = chunk_from_chars( + 0x1c,0xc4,0x40,0x8e,0x92,0xd1,0xae,0xd2,0x2f,0x6c,0x04,0x3d,0x82,0x14,0x03,0x04, + 0xe7,0x82,0x5e,0x74,0xeb,0xaa,0x10,0x40,0x8d,0x33,0x95,0x46,0x30,0xb6,0x3b,0x02, + 0x3a,0xc2,0x13,0x6e,0xaf,0x45,0x16,0xd7,0x3a,0xe5,0x4f,0x7f,0xf6,0xf8,0xeb,0x34, + 0x1f,0x1d,0x39,0xae,0xd5,0xc9,0x8d,0x92,0xf1,0x85,0x8a,0xe4,0x11,0xb9,0xe0,0xe2, + 0x06,0xe0,0xe2,0xb2,0x25,0x19,0xbc,0x20,0xd3,0x04,0xbc,0xb4,0x7d,0x81,0xc4,0xf4, + 0x9e,0x59,0x9b,0x86,0x95,0x26,0xb7,0x58,0x88,0xb0,0x2f,0x29,0xdc,0x59,0x58,0xe8, + 0x21,0x6f,0x6a,0xe4,0x75,0xbf,0xf7,0x15,0xa7,0x41,0x63,0x32,0x04,0xbf,0xed,0x27, + 0xbd,0xc6,0x25,0x22,0x60,0x99,0x9f,0xf1,0x77,0xf1,0xa4,0xf7,0xa0,0x60,0x57,0x18, + 0xe9,0xad,0x45,0xb8,0x99,0x2b,0x59,0x46,0x6c,0x11,0xb4,0xda,0x7e,0x0e,0x1a,0x97, + 0x4c,0x28,0xc0,0xe1,0x54,0xe0,0x78,0x68,0xa0,0x1e,0x3f,0xa7,0x4e,0x6c,0xde,0x47, + 0x95,0x26,0xc4,0x6b,0x73,0x18,0xed,0x5f,0x12,0xe7,0xa2,0x27,0x01,0xf7,0x39,0xa3, + 0x10,0xec,0xcd,0x59,0x94,0xd4,0xbc,0x7f,0x8d,0xf6,0xe1,0x5e,0x3b,0x84,0xe1,0x83, + 0x93,0x64,0x62,0x32,0xfe,0x6e,0xc4,0x8b,0xe9,0xed,0x26,0xca,0xb8,0x74,0x96,0x00, + 0x9d,0x25,0xa5,0xbb,0x3c,0xdd,0xbd,0x32,0xb1,0xda,0x3f,0x07,0x03,0x8f,0xfc,0x78, + 0x14,0xdf,0x10,0x33,0xff,0xda,0x30,0xab,0x05,0xf0,0x75,0x5e,0x33,0x00,0x22,0xc9, + 0xcb,0x6b,0x78,0xdf,0xb4,0x75,0x02,0xb6,0x29,0xeb,0x4b,0xad,0xaf,0xf3,0x44,0x25, + 0x96,0x28,0x9f,0xa3,0x29,0xd5,0x08,0x7b,0xf7,0x0f,0x53,0x4f,0x50,0xff,0xa6,0x5e, + 0xeb,0x64,0x14,0x1d,0x0d,0xb4,0x31,0xa4,0x15,0x9d,0x39,0x0f,0x82,0x33,0x98,0x12, + 0x71,0xf4,0x8c,0x66,0x6c,0x50,0xab,0x7f,0xa4,0xf1,0xe7,0xe3,0x96,0x34,0x71,0x84, + 0xe1,0xd9,0x77,0xa0,0x8d,0xae,0xb2,0xfa,0xbe,0x8d,0xca,0x0c,0x2f,0xb9,0x41,0xd3, + 0xe5,0x39,0x8a,0x0d,0x1d,0xb9,0x18,0xee,0x59,0x3c,0x4b,0x4d,0xc9,0x67,0x13,0x1a, + 0x4b,0xc1,0x80,0x80,0xad,0x57,0xa9,0x42,0x8e,0x72,0x69,0x1b,0x0d,0xd6,0xb1,0xd5, + 0x66,0xe0,0x2a,0xd4,0x5f,0x30,0x8b,0xe8,0xbc,0x37,0xf3,0xfe,0xd6,0xc8,0x8d,0x28, + 0x38,0x56,0x67,0x33,0x57,0x04,0xa4,0xa5,0x50,0xf8,0x70,0xea,0x59,0xca,0x18,0x4f), + .e = chunk_from_chars(0x2c,0xc9,0x2f), + .m = chunk_from_chars( + 0xd1,0xac,0xd4,0xa6,0x03,0x5f,0x23,0xbf,0xe6,0x70,0x06,0x13,0x2a,0x1c,0xd4,0x74, + 0xef,0x58,0xc0,0x11,0x36,0x70,0xf5,0x3c,0x95,0xee,0xe5,0x70,0x30,0xbd,0xdd,0x92, + 0xe4,0x8e,0xdd,0x77,0xc5,0x7b,0xa8,0xa7,0xcb,0xea,0x17,0x60,0xc8,0xb5,0xb2,0xde, + 0x9d,0x88,0x81,0xda,0xae,0x8a,0x20,0x51,0x93,0x3f,0x12,0x86,0x11,0xad,0x57,0x4a, + 0x48,0xbd,0x41,0x7b,0x2d,0xe5,0x83,0xcb,0x3b,0x04,0x8b,0xc2,0x66,0x8d,0x12,0x07, + 0x51,0xe8,0xf1,0xdb,0xc0,0x15,0x36,0xe6,0x50,0x93,0x77,0x36,0x66,0x80,0x66,0x85, + 0x65,0x01,0xa6,0xba,0x24,0xe4,0xdd,0xb3,0x9f,0x84,0x0b,0x42,0xec,0xed,0x1a,0x75, + 0x71,0x41,0xb6,0x1b,0x55,0x5b,0x5e,0x83,0x34,0xb1,0xbb,0x87,0x17,0x7f,0x31,0xc9), + .s = chunk_from_chars( + 0x55,0x61,0x3f,0x64,0x33,0x1a,0xbd,0x97,0x1e,0x82,0x2c,0xc3,0xd9,0x72,0xf6,0x7e, + 0x78,0x2b,0x6a,0xf8,0x1a,0xac,0x0b,0x80,0xe2,0xf6,0x32,0x4d,0xa6,0xd9,0xf3,0x3c, + 0x46,0xf8,0xb7,0xe2,0x4c,0x94,0xde,0xee,0x7e,0x98,0x52,0x5a,0xaf,0x4c,0xa6,0x84, + 0x37,0x53,0xdf,0x3d,0x44,0x4e,0x1e,0x05,0x40,0xf9,0xc1,0x96,0xff,0xbb,0xcb,0x4f, + 0xca,0x7a,0xad,0x4b,0xa9,0x42,0x88,0xf9,0x11,0x65,0x0e,0x3c,0xaf,0x6d,0xd2,0x2f, + 0x87,0x92,0x3f,0xa4,0xb1,0x2e,0x2d,0x6b,0x11,0x5f,0x2f,0xe7,0x73,0xaf,0x25,0x63, + 0xcc,0x76,0x0d,0xe8,0x8c,0xfa,0x6e,0x16,0x87,0x8d,0xd9,0xc0,0x7f,0x0d,0x45,0xb1, + 0x0a,0x22,0x4d,0x1a,0x7e,0xe1,0xd2,0x6f,0xfa,0xdf,0xd3,0x8b,0x78,0x00,0x4a,0x20, + 0x45,0xb3,0x5d,0x9c,0xb9,0xfc,0xcd,0xc7,0x15,0x66,0x8a,0x74,0x01,0xdb,0x7a,0xde, + 0xf1,0x09,0xeb,0xca,0xaf,0xc5,0x26,0x9d,0x37,0x7c,0x1e,0x8f,0x7d,0x42,0x92,0x45, + 0x9c,0x80,0x1a,0x93,0xc4,0xd0,0x7e,0xf4,0x77,0xf8,0x71,0x75,0xaa,0x35,0xe0,0x02, + 0xa0,0x3c,0x20,0x51,0x98,0x5f,0xcb,0x69,0x63,0xe9,0xbf,0x96,0xe2,0x8e,0x55,0xeb, + 0x52,0xa3,0x55,0x44,0x75,0xf9,0x09,0x5f,0x24,0xa9,0xe4,0x22,0xfa,0x84,0xb6,0x05, + 0x90,0xe8,0xb8,0xd6,0xec,0x91,0xdc,0xf6,0xa5,0x84,0xcc,0x8a,0x93,0x4e,0x55,0x1b, + 0xef,0xee,0xdc,0x0f,0x0f,0x48,0xda,0xdf,0x29,0x3f,0x0f,0x92,0x60,0xee,0x22,0xd7, + 0x2e,0xa4,0x6e,0x27,0x10,0x45,0xb6,0x65,0x16,0xb2,0xbe,0xbe,0xed,0x52,0x72,0x2a, + 0xec,0x5f,0x08,0x40,0x85,0xf8,0xfa,0xa6,0x89,0x30,0x8b,0xc1,0x3f,0xa5,0xb9,0xe5, + 0xb0,0xaa,0xdf,0x27,0x66,0x25,0x8e,0x01,0xd4,0xb8,0xdd,0xbe,0x0d,0x32,0x8a,0xa1, + 0x12,0x23,0x7e,0xc1,0x0b,0x11,0x5b,0xe8,0x3f,0xae,0x8a,0x01,0x13,0xf8,0x89,0x0e, + 0xda,0xb7,0x9d,0x04,0x63,0xc9,0xec,0x6e,0x2d,0xb4,0x50,0x46,0x93,0x53,0x5d,0xcf, + 0x76,0x95,0xf8,0x44,0x25,0xe9,0xf7,0xb7,0x3e,0x4f,0x18,0xbc,0x07,0x2f,0x51,0x31, + 0x98,0x9b,0x0c,0xdb,0x07,0xf4,0x96,0xf1,0x5e,0x56,0x2d,0x07,0xf0,0x71,0x1c,0xf9, + 0x79,0xf1,0xaa,0x4d,0x14,0x0d,0x97,0x83,0xef,0xd6,0xf9,0x6c,0x41,0xfe,0x5f,0xb7, + 0x9e,0x5d,0x5d,0x68,0x9d,0xd5,0xa7,0x05,0xf1,0xff,0x83,0x77,0x54,0x03,0x1a,0x39), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0x99,0xa5,0xc8,0xd0,0x94,0xa5,0xf9,0x17,0x03,0x46,0x67,0xa0,0x40,0x8b,0x7e,0xcf, + 0xca,0xac,0xc3,0xf9,0x78,0x44,0x44,0xe2,0x17,0x73,0xc3,0x46,0x1e,0xc3,0x55,0xf0, + 0xd0,0xf5,0x2a,0x5d,0xb0,0x56,0x8a,0x71,0xd3,0x88,0x69,0x67,0x88,0xef,0x66,0xae, + 0x73,0x40,0xc6,0xb2,0x8d,0xbf,0x92,0x5f,0xe8,0x35,0x57,0x98,0x65,0x75,0xf7,0x9c, + 0xca,0x69,0x21,0x72,0x21,0x39,0x7e,0xd5,0x80,0x8a,0x26,0xf7,0xe7,0xe7,0x14,0xc9, + 0x32,0x35,0xf9,0x14,0xd4,0x5c,0x4a,0x9a,0xf4,0x61,0x9b,0x20,0xf5,0x11,0xad,0x64, + 0x4b,0xd3,0x41,0x2d,0xfd,0xf0,0xff,0x71,0x7f,0x7a,0xac,0x74,0x6f,0x31,0x0b,0xfa, + 0x9a,0x14,0x1a,0xc3,0xdb,0xf0,0x1c,0x1f,0xc7,0x4f,0xeb,0xd1,0x97,0x93,0x84,0x19, + 0xc2,0x62,0x29,0x35,0x05,0xc3,0x5f,0x40,0x2f,0x90,0x53,0xad,0x13,0xc5,0x1a,0x59, + 0x60,0xec,0xde,0x55,0xec,0x82,0x9e,0x95,0x3f,0x94,0x1a,0xf7,0x33,0xe5,0x87,0x05, + 0x91,0x37,0x67,0xe7,0xa7,0x20,0x0d,0x1d,0x09,0xe7,0xe7,0xe2,0xd2,0x69,0xfa,0x29, + 0xa5,0x58,0xbb,0x16,0x30,0x4b,0x05,0x9f,0x13,0xf4,0xca,0x56,0x0a,0x81,0x01,0xfe, + 0x37,0x20,0xb4,0xa7,0x79,0xec,0x12,0x64,0x27,0x32,0x6c,0xaa,0x13,0x2a,0x3d,0x36, + 0x11,0xd7,0xdb,0xc5,0x03,0x36,0xfa,0xc7,0x89,0xec,0x40,0x6b,0x39,0x7e,0x1e,0x36, + 0xd7,0xda,0xf9,0xb6,0x24,0xbf,0x63,0x9c,0x82,0xb8,0x59,0x28,0x87,0x47,0x69,0x0c, + 0x73,0x0c,0x98,0x0b,0x2f,0x5a,0x23,0x9d,0xd9,0x5a,0xd5,0x38,0x9a,0x2e,0xc9,0x0c, + 0x57,0x78,0x60,0x47,0x13,0x71,0x03,0x83,0xae,0x55,0xd4,0xd2,0x8c,0x06,0xd4,0xac, + 0x26,0xf0,0xd1,0x23,0x1f,0x1d,0x67,0x62,0xc8,0xe0,0xd9,0x18,0x11,0x81,0x56,0xbc, + 0x63,0x77,0x60,0xda,0xea,0x18,0x47,0x46,0xb8,0xdc,0xf6,0xf6,0x1d,0xb2,0x74,0xa7, + 0xdd,0xce,0xaa,0x07,0x49,0x37,0xab,0xab,0xad,0x45,0x49,0xb9,0x7a,0xb9,0x92,0x49, + 0x4a,0x80,0x72,0x08,0xab,0xd7,0x89,0x82,0x3f,0x5d,0x75,0xc4,0xb9,0x94,0x08,0x9c, + 0x80,0x72,0xcf,0xc2,0x54,0xe0,0xd8,0x20,0x2f,0xd8,0x96,0x47,0x6e,0x96,0xad,0x9d, + 0x30,0x9a,0x0e,0x8e,0x73,0x01,0x28,0x2f,0x07,0xeb,0x2a,0xe8,0xed,0xef,0xb7,0xdb, + 0xbe,0x13,0xb9,0x6e,0x8b,0x40,0x24,0xc6,0xb8,0x4d,0xe0,0xa0,0x5e,0x15,0x02,0x85), + .d = chunk_from_chars( + 0x03,0xb1,0x90,0x5b,0x88,0x3e,0xa9,0xd3,0x2a,0x37,0x96,0x4c,0xf2,0xb3,0x19,0x9c, + 0xb1,0xee,0x5f,0x61,0x1f,0xf2,0xaa,0x16,0x32,0x69,0x94,0x2b,0x35,0x43,0x6a,0x4a, + 0x70,0x8e,0x73,0x71,0x85,0x7b,0x60,0x3f,0xe8,0x4e,0x43,0x7f,0xea,0x0f,0xb9,0xc1, + 0x9c,0xb0,0x9b,0x3c,0x39,0xac,0x82,0xfa,0xf7,0x3f,0x12,0x0a,0xb2,0xdd,0x49,0x57, + 0x0e,0xd9,0xc4,0x3c,0x70,0xf4,0x30,0x20,0x4f,0x77,0x74,0x3b,0x29,0x51,0x23,0x21, + 0x8a,0x5b,0x12,0x83,0xda,0xdf,0x93,0xcf,0xe3,0x73,0x75,0x00,0x0f,0xbe,0x64,0xa5, + 0x3f,0xa4,0xe4,0x0f,0x9a,0x8e,0x40,0x37,0x3f,0x75,0x92,0x35,0x66,0x5a,0xb1,0xf8, + 0x4d,0xd2,0xc8,0xa8,0x0a,0x8c,0x18,0x30,0xe7,0xd6,0x82,0xbd,0xba,0xbc,0xed,0xf3, + 0x22,0xe6,0xc7,0x87,0xcd,0x20,0x84,0xab,0x75,0x27,0x04,0x0e,0x78,0x5a,0x8e,0xf8, + 0x62,0xe0,0x25,0x66,0x99,0x5e,0x3a,0x3c,0x1d,0xb9,0xff,0x04,0x60,0xee,0xdf,0x80, + 0x78,0x39,0xb8,0x01,0x70,0xfd,0x4f,0xcb,0xd0,0x85,0x04,0x24,0x90,0x7d,0x8f,0x28, + 0x65,0x2c,0xb7,0xe9,0xd3,0x7e,0x1b,0xda,0x2e,0xad,0xb8,0x89,0xe5,0x55,0x0f,0x3c, + 0x49,0x01,0xdb,0x4d,0xb5,0x77,0x5d,0xd9,0xd1,0xe8,0x63,0xda,0xc1,0xe5,0xd9,0x47, + 0xef,0x0b,0x7b,0xcf,0x74,0x6c,0xbf,0xd3,0xe6,0x00,0x0f,0x40,0x92,0xb0,0xb1,0xee, + 0xa7,0x3d,0x15,0x43,0x11,0xb5,0x1b,0xde,0x7e,0x4d,0xff,0x4a,0x5f,0xcd,0x89,0xb8, + 0x28,0x53,0x45,0x65,0x4c,0x4f,0xc6,0x97,0x53,0x4c,0x79,0x41,0x35,0xfd,0x85,0xe8, + 0x73,0x65,0x6e,0xfe,0x2d,0x90,0x28,0xc7,0x36,0xb4,0x6c,0x59,0x1f,0x4d,0x5b,0xa1, + 0x3b,0x44,0xba,0xce,0x0b,0x39,0x7c,0xc1,0x7f,0x5d,0x77,0x93,0x95,0x05,0x9c,0x59, + 0xd3,0x64,0x52,0x93,0xab,0x0d,0x63,0xca,0xe4,0x39,0x20,0x23,0x61,0x9e,0xc5,0x7d, + 0xc4,0x33,0x93,0x23,0x94,0xa9,0xf5,0x9a,0x69,0x0c,0x0d,0xd1,0xe1,0x1c,0xf0,0x92, + 0xba,0x54,0x1c,0x55,0xf3,0xfa,0x89,0x24,0xd2,0x55,0xa1,0x68,0xc3,0xad,0x26,0xe6, + 0xb4,0xe5,0xe0,0x50,0x02,0x6f,0x65,0x0a,0x2a,0xcb,0xb1,0xee,0xc5,0x74,0xcc,0x8b, + 0x14,0x47,0x0b,0x7d,0x3b,0x12,0x2b,0x00,0x95,0x72,0x0f,0x97,0xc6,0x17,0x5c,0x53, + 0xe7,0x60,0x36,0xd5,0xe9,0xb6,0xa2,0xaa,0xba,0x76,0x31,0xab,0x3b,0x7b,0x8a,0xe9), + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0xcc,0x21,0x59,0x3a,0x6a,0x0f,0x73,0x7e,0x29,0x70,0xb7,0xc0,0x79,0x84,0xb0,0x70, + 0xd7,0x61,0x72,0x62,0x96,0xa0,0x7e,0x24,0xe0,0x56,0xe6,0x8f,0xf8,0x46,0xb2,0x9c, + 0xc1,0x54,0x81,0x79,0x84,0x3d,0x74,0xdc,0xee,0x86,0x47,0x98,0x58,0xb2,0xc1,0x6e, + 0x4c,0xb8,0x4f,0x25,0x44,0xb4,0xec,0xdc,0xb4,0xdd,0x43,0xa0,0x4b,0xb7,0x18,0x3a, + 0x76,0x8a,0xe4,0x4a,0x27,0x12,0xbf,0x9a,0xd4,0x78,0x83,0xac,0xc2,0x81,0x2f,0x95, + 0x83,0x06,0x89,0x0e,0xbe,0xa4,0x08,0xc9,0x2e,0xb4,0xf0,0x01,0xed,0x7d,0xbf,0x55, + 0xf3,0xa9,0xc8,0xd6,0xd9,0xf6,0x1e,0x5f,0xe3,0x2e,0xb3,0x25,0x3e,0x59,0xc1,0x8e, + 0x86,0x31,0x69,0x47,0x8c,0xd6,0x9b,0x91,0x55,0xc3,0x35,0xdb,0x66,0x01,0x6f,0x96), + .s = chunk_from_chars( + 0x0a,0xa5,0x72,0xa6,0x84,0x5b,0x87,0x0b,0x89,0x09,0xa6,0x83,0xbb,0x7e,0x6e,0x76, + 0x16,0xf7,0x7b,0xef,0xf2,0x87,0x46,0x11,0x6d,0x8b,0xc4,0xb7,0x33,0x55,0x46,0xb5, + 0x1e,0x80,0x06,0xed,0x0f,0xc9,0xa0,0xd6,0x6f,0x63,0xce,0x0b,0x9e,0xbf,0x79,0x2d, + 0x7e,0xfd,0x43,0x05,0xd7,0x62,0x4d,0x54,0x54,0x00,0xa5,0xfd,0x6a,0x06,0xb7,0x8f, + 0x17,0x4b,0x86,0x80,0x3f,0x7c,0xd1,0xcc,0x93,0xe3,0xa9,0x72,0x86,0xf0,0xea,0x59, + 0x0e,0x40,0xff,0x26,0x19,0x5a,0xa2,0x19,0xfe,0x15,0x10,0xa0,0x16,0x78,0x52,0x23, + 0x60,0x6d,0x93,0x11,0xa1,0x6c,0x59,0xa8,0xfe,0x4a,0x6d,0xa6,0xec,0xd0,0xc1,0xd7, + 0x77,0x50,0x39,0x29,0x0c,0x2a,0xaa,0x17,0xed,0x1e,0xb1,0xb5,0x43,0x74,0xf7,0xe5, + 0x72,0xdb,0x13,0xcc,0xa3,0xa6,0x38,0x57,0x5f,0x80,0x04,0xaa,0x54,0xa2,0xfa,0x98, + 0x42,0x2f,0xc0,0x7e,0x43,0xad,0x3a,0x20,0xdd,0x93,0x00,0x14,0x93,0x44,0x26,0x77, + 0xd8,0x83,0x91,0x4d,0xc7,0x4e,0xc1,0xcb,0xeb,0xbb,0xd3,0xd2,0xb6,0xba,0xd4,0x66, + 0x6d,0x91,0x45,0x7b,0x69,0xb4,0x6a,0x1a,0x61,0xf2,0x12,0x98,0xf1,0xa6,0x79,0x42, + 0xec,0x86,0xc8,0x76,0x32,0x2d,0xd3,0x66,0xed,0x16,0x78,0x14,0xe9,0xc8,0xfc,0x90, + 0x40,0xc5,0xb4,0xb7,0xa8,0x59,0xbb,0xd8,0x80,0xcb,0x6b,0xc2,0x41,0xb9,0xe3,0x27, + 0xce,0x77,0x9e,0x07,0x83,0xb1,0xcf,0x44,0x5e,0x0b,0x2f,0x57,0x71,0xb3,0xf5,0x82, + 0x2a,0x13,0x64,0x39,0x1c,0x15,0x4d,0xc5,0x06,0xff,0xf1,0xfb,0x9d,0x9a,0x35,0xf8, + 0x01,0x99,0xa6,0xb3,0x0b,0x4b,0x92,0xb9,0x26,0x19,0xa4,0x0e,0x21,0xae,0xa1,0x92, + 0x84,0x01,0x58,0x63,0xc4,0x48,0x66,0xc6,0x1e,0xd9,0x04,0xa7,0xad,0x19,0xee,0x04, + 0xd9,0x66,0xc0,0xaa,0xe3,0x90,0x63,0x62,0x43,0x56,0x55,0x81,0xff,0x20,0xbd,0x6e, + 0x3c,0xfb,0x6e,0x31,0xf5,0xaf,0xba,0x96,0x4b,0x31,0x1d,0xc2,0xd0,0x23,0xa2,0x19, + 0x98,0xc8,0xdd,0x50,0xca,0x45,0x36,0x99,0x19,0x0b,0xd4,0x67,0x42,0x9e,0x2f,0x88, + 0xac,0xe2,0x9c,0x4d,0x1d,0xa4,0xda,0x61,0xaa,0xc1,0xed,0xa2,0x38,0x02,0x30,0xaa, + 0x8d,0xbb,0x63,0xc7,0x5a,0x3c,0x1e,0xc0,0x4d,0xa3,0xa1,0xf8,0x80,0xc9,0xc7,0x47, + 0xac,0xdb,0x74,0xa8,0x39,0x5a,0xf5,0x8f,0x5f,0x04,0x40,0x15,0xcc,0xaf,0x6e,0x94), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xb4,0x3d,0x4a,0x44,0x6d,0xe4,0x5a,0xa8,0xf3,0x36,0xb9,0x3a,0x4c,0x59,0x23,0xf3, + 0xa5,0x38,0x6e,0xf8,0xdd,0x1e,0x94,0xc4,0x23,0x00,0xde,0x08,0x80,0xe9,0xbd,0x08, + 0x28,0xfb,0x32,0xe3,0x6e,0x4c,0x50,0xcb,0xf6,0x66,0x03,0x7a,0x8f,0x2e,0x05,0xf4, + 0x57,0x73,0x89,0x6c,0x10,0xae,0xa9,0x75,0xb3,0xdb,0xf4,0xc4,0xcd,0xfc,0x24,0xa0, + 0x38,0xc5,0xc0,0x6d,0x36,0x1b,0xaf,0x84,0xc3,0x8f,0xc2,0x2c,0x03,0xa3,0x6b,0x9d, + 0xce,0x38,0xe0,0x90,0x11,0x1d,0x9c,0x13,0x23,0xd7,0xa7,0x7d,0x3e,0x04,0xb7,0x13, + 0xfa,0xf7,0x40,0x96,0x5a,0x9e,0x18,0x83,0xee,0x37,0x75,0x48,0x9a,0xb5,0x14,0xce, + 0x48,0x07,0x86,0xf9,0xeb,0x74,0x1c,0x60,0xab,0x89,0x6a,0x9d,0x6e,0xae,0x3a,0x53, + 0xed,0x92,0x68,0x76,0x8c,0x21,0xf7,0x9e,0x30,0x75,0x9e,0x0b,0x01,0xab,0x7f,0xa2, + 0x24,0xea,0x82,0x29,0xc2,0x93,0x78,0x00,0x58,0xf2,0x58,0xe9,0x22,0x6d,0x73,0x74, + 0xac,0x42,0x5e,0xf1,0xd2,0xb6,0xe0,0x6e,0x5b,0x26,0x3d,0xf0,0xc6,0xd6,0x6c,0x00, + 0xed,0x26,0xcb,0xf2,0x46,0xa5,0xaf,0x0a,0x01,0x63,0x33,0x68,0x86,0xef,0x8d,0x92, + 0x9b,0x37,0x74,0x9a,0x08,0xf0,0xec,0x1d,0xb0,0x59,0x73,0xa8,0xaf,0xc8,0x17,0x78, + 0xb6,0xcc,0x91,0x06,0xf9,0x2b,0x14,0x53,0xf1,0x52,0x86,0x97,0xb1,0xdc,0x8d,0xd0, + 0xb2,0x55,0xe8,0x01,0x06,0x0f,0xe1,0x79,0xb2,0xd1,0x0a,0x9c,0x4c,0x3e,0x13,0xf3, + 0xc5,0x6f,0xa6,0xd5,0x51,0x66,0xf6,0x46,0x1a,0xf4,0xaa,0xf4,0xf4,0x16,0x8f,0xd5, + 0xea,0x6d,0xad,0xed,0xaa,0x3f,0x9f,0x1d,0xe4,0xde,0x99,0x3d,0x88,0x44,0x35,0x7c, + 0x0a,0xf7,0x9a,0x09,0x0e,0xcc,0x80,0x57,0x0c,0x64,0x15,0x45,0xbe,0xb4,0x2a,0x12, + 0x48,0xa5,0x2d,0xe6,0x12,0xf2,0xe0,0xf8,0x83,0x44,0x96,0x33,0x1a,0x73,0x54,0xf7, + 0xeb,0x91,0xa1,0x94,0x3b,0x5c,0xb3,0xb6,0xcf,0x19,0x84,0x51,0x73,0x5f,0xb5,0x54, + 0x92,0x2f,0x04,0xf0,0x09,0xa5,0x2a,0x15,0xd9,0x93,0x69,0xad,0xc2,0xe4,0x6b,0x09, + 0xbb,0x87,0x1f,0x4f,0x3e,0xc1,0x90,0x5a,0xcd,0x79,0x2b,0x8c,0x81,0xa3,0xd7,0x4b, + 0x31,0x6f,0xf9,0xd2,0x0b,0x93,0xf4,0x88,0x17,0xae,0x61,0x86,0x77,0xdc,0x94,0x51, + 0xf5,0x82,0xec,0x99,0x95,0xf4,0x45,0x52,0xf4,0x24,0x49,0x53,0xcd,0xe8,0x3f,0x11), + .d = chunk_from_chars( + 0x05,0x50,0x8e,0x4a,0xec,0x1e,0x7e,0xad,0xdd,0x40,0x20,0x4c,0x8a,0x3a,0x38,0x90, + 0x48,0x79,0x2b,0x4d,0x1f,0x15,0x0d,0xc5,0x3a,0x10,0x9a,0xc8,0x05,0x5f,0xa9,0x49, + 0x22,0x78,0x2c,0x43,0xc3,0x07,0x12,0x36,0x65,0x8b,0x1c,0x7b,0x5d,0x07,0xb2,0xef, + 0xae,0xef,0x39,0x44,0x9e,0x02,0x80,0x97,0x98,0x0b,0x0a,0x3a,0x20,0x40,0x68,0x47, + 0xed,0x3f,0x79,0x5d,0x03,0xd5,0xfc,0xed,0x2a,0x39,0x08,0x24,0x58,0x9f,0x57,0x1f, + 0x5d,0xbb,0x79,0x5d,0x97,0x7e,0x8b,0x76,0x9a,0xdd,0x7f,0x4e,0xe7,0x65,0x82,0x9d, + 0x59,0xb4,0xb5,0xb5,0x8e,0xf0,0xda,0xa6,0xc8,0x68,0x2f,0x13,0x84,0x49,0xd8,0x7a, + 0xd4,0x30,0x7f,0xc0,0x46,0xcc,0xf6,0x36,0x03,0xef,0xf9,0xee,0xb1,0x48,0x2d,0xd7, + 0x4d,0xa2,0x55,0x98,0x4f,0x2b,0xd3,0x00,0xab,0xa6,0xb9,0x54,0x9d,0x5d,0x6e,0xab, + 0x02,0x7f,0x73,0xa8,0xf9,0x69,0x5a,0x81,0x40,0xdd,0x6c,0x83,0x9e,0xd6,0xf0,0x48, + 0x19,0xc3,0x8e,0xac,0xd8,0x75,0x3b,0xbb,0xbd,0x66,0xf3,0x4d,0xd1,0x6d,0xa4,0x04, + 0x4f,0x93,0xa5,0x00,0xc4,0x80,0x3f,0x33,0xf6,0xbc,0x20,0xbe,0x75,0xd1,0x30,0x25, + 0x46,0x1f,0xc5,0xb7,0x83,0xd9,0xc7,0x64,0x64,0xe8,0x95,0xaa,0x82,0x3f,0x18,0xd7, + 0xfe,0x7b,0xac,0xd8,0x91,0xe7,0xf9,0x60,0xfe,0xd6,0xf7,0xe8,0x77,0x41,0x3d,0x46, + 0x0a,0x1d,0xdc,0x4e,0x47,0xe7,0xde,0xcb,0x3f,0xae,0xf4,0x1c,0x34,0x74,0xfc,0x9b, + 0xb4,0x33,0x03,0xb8,0x02,0x71,0x30,0xb4,0x86,0x21,0x58,0xd0,0x17,0xf0,0x57,0x0b, + 0x51,0x9b,0x3f,0x87,0x55,0xe6,0x8b,0xba,0x10,0x38,0xca,0x25,0x0a,0x1c,0x7c,0xda, + 0x22,0xc3,0xbd,0xa9,0xaa,0xca,0x24,0xa5,0x0a,0x56,0x8c,0xca,0x52,0xab,0x72,0x21, + 0x41,0xbf,0x8b,0xdc,0x07,0x77,0x0e,0x69,0x32,0x96,0x64,0x52,0x72,0x58,0x25,0x90, + 0x32,0x8e,0x4f,0x11,0x69,0xac,0x57,0xab,0xa7,0x74,0xa9,0x81,0x89,0x89,0xc4,0xa0, + 0x69,0x10,0x4a,0x9d,0xcc,0xe8,0x72,0xea,0x45,0xb2,0x39,0x2a,0xf7,0x56,0xd9,0x72, + 0x06,0xac,0x90,0x7c,0x6f,0xde,0x9c,0xe5,0x33,0x08,0x3f,0x54,0x68,0xc3,0x04,0xff, + 0x2e,0x4d,0xef,0xca,0xfb,0xd5,0xe2,0x35,0xa2,0x41,0x56,0xee,0xf6,0x05,0x94,0xe9, + 0xf2,0xf4,0x97,0x40,0xa6,0x0f,0xf3,0x62,0x37,0xc1,0x7e,0x93,0x7c,0x27,0x51,0xf5), + .e = chunk_from_chars(0x09,0x8f,0xfb), + .m = chunk_from_chars( + 0xdd,0xdb,0x05,0xcb,0x9b,0xf1,0x0c,0x14,0xe7,0xdd,0x1e,0x9f,0x3b,0x3d,0x2b,0x32, + 0x9a,0x17,0xf3,0x16,0x76,0x28,0x10,0x11,0xd2,0x78,0x37,0x94,0xa4,0x32,0xbb,0x34, + 0x7d,0xb3,0x52,0x5e,0x6b,0xe1,0x1c,0x47,0x1f,0xbe,0xe1,0x23,0x4b,0x3d,0x9b,0x97, + 0x4e,0x54,0x34,0x70,0x13,0x52,0x90,0x95,0x36,0x73,0xce,0x3a,0x69,0xb1,0xcb,0x57, + 0x17,0xde,0xe8,0x59,0x47,0xf0,0x0e,0x17,0xc2,0x9c,0xef,0x07,0x78,0x26,0x8e,0xb2, + 0x20,0x77,0x01,0x65,0x1f,0x70,0x75,0x2a,0xab,0x7e,0x74,0xf6,0x30,0x6e,0x63,0x24, + 0xf2,0x83,0x4f,0x22,0xf5,0xc6,0xe9,0x6b,0x1a,0x9e,0xce,0xb5,0x8a,0xa0,0x0c,0x6b, + 0x57,0xa8,0xe2,0x5d,0x61,0x29,0xc8,0xb7,0x77,0xc1,0xaf,0x2f,0xbf,0x11,0x8a,0x83), + .s = chunk_from_chars( + 0x11,0x10,0x7c,0x6d,0xa7,0xa7,0x6d,0xba,0x8c,0xe8,0xde,0x3d,0x5c,0x90,0xc6,0xbc, + 0xca,0xf3,0x3f,0xb9,0xa7,0xec,0x4d,0x40,0xa9,0x7f,0xbc,0xde,0xba,0xf6,0xe6,0x5c, + 0x09,0x5b,0x67,0xdf,0xa1,0x71,0xc5,0x4a,0x33,0x64,0xa6,0xde,0xd7,0x18,0xe1,0xbe, + 0xbb,0xb4,0x97,0xd1,0x5f,0x1d,0xe1,0x33,0xb5,0x82,0x97,0xe0,0x8c,0x1b,0x20,0x0f, + 0x84,0x66,0x57,0x9c,0xb8,0xe9,0xc3,0xdb,0xe5,0xf7,0x24,0x28,0x2e,0x5b,0xb2,0x85, + 0x70,0xa4,0x1d,0x8d,0x35,0xad,0x6e,0x13,0x1e,0xb2,0xa1,0xd3,0x29,0xd8,0xb0,0x8d, + 0x10,0xfa,0xf7,0x6f,0xdb,0xe7,0x42,0x17,0xa2,0x76,0x93,0x6b,0x15,0x93,0xb1,0xd3, + 0xa1,0x18,0x91,0xd1,0x86,0x41,0xc0,0xbe,0xe0,0xc3,0x7e,0x68,0xbf,0x75,0xad,0xd9, + 0xe7,0xdc,0xf3,0xb9,0xb4,0x41,0x3f,0xa3,0xec,0x90,0x67,0x60,0x38,0x16,0x1f,0x68, + 0xfe,0x3a,0xf6,0x4d,0x69,0xa1,0x6f,0xc2,0x2c,0x8e,0xa7,0xc0,0x6f,0x86,0xbc,0xbb, + 0xa6,0x67,0x9b,0x6f,0xa4,0x58,0x58,0xc8,0x7e,0xc2,0xda,0x88,0x96,0x92,0x0d,0xfd, + 0x77,0xfd,0x16,0xd9,0x53,0xe9,0x84,0x62,0x42,0x03,0xcc,0x21,0x78,0xd2,0x20,0xfa, + 0x47,0xba,0x9a,0x6d,0xdb,0xe7,0x59,0xdb,0x3d,0xc4,0x22,0x4c,0x7c,0xcb,0x09,0xb2, + 0x9e,0x20,0x07,0x22,0xa7,0x45,0xd3,0x32,0x92,0x09,0x32,0x3a,0x08,0x2a,0x3f,0x7a, + 0x2c,0x62,0x4b,0x40,0x53,0xfa,0x42,0x18,0x3d,0xd2,0x2b,0x7f,0x49,0xc4,0x56,0x9f, + 0x8c,0x3d,0x49,0x51,0x57,0x53,0xb9,0x93,0xef,0x81,0x22,0xc3,0x69,0x85,0xe9,0x6a, + 0x32,0x89,0xaf,0x8d,0x6e,0x22,0x93,0x4b,0xbc,0xf7,0x55,0x1b,0x15,0x70,0x92,0x31, + 0x58,0xd1,0xb5,0x54,0xc1,0x3f,0x4f,0xe0,0x8f,0xaf,0xf4,0x89,0x8b,0xe9,0x2f,0x6e, + 0x66,0xff,0x74,0xa8,0x0b,0x13,0x70,0x3e,0x0d,0x26,0x65,0xdb,0x71,0x5c,0x55,0x9e, + 0x68,0xbe,0xad,0x6f,0x6b,0x75,0x93,0xf0,0x2e,0xfb,0xd6,0x8c,0x67,0x62,0x56,0xae, + 0x86,0x95,0xa5,0x1d,0xab,0x90,0xe3,0x29,0x86,0x69,0x7f,0x4e,0xde,0x07,0x66,0x28, + 0x17,0x6c,0xa6,0xb6,0x51,0x91,0x8d,0x74,0x9f,0xd0,0x1a,0x16,0xa8,0x7a,0xda,0xad, + 0x4a,0xae,0x93,0xb8,0xc0,0x5d,0x92,0x56,0x5e,0xc6,0x82,0x17,0xaa,0xab,0x96,0x76, + 0x23,0xda,0x3e,0x5a,0x50,0x95,0x64,0x2c,0xc1,0x7d,0x73,0x0a,0x6d,0x95,0x9c,0xfa), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xb4,0x3d,0x4a,0x44,0x6d,0xe4,0x5a,0xa8,0xf3,0x36,0xb9,0x3a,0x4c,0x59,0x23,0xf3, + 0xa5,0x38,0x6e,0xf8,0xdd,0x1e,0x94,0xc4,0x23,0x00,0xde,0x08,0x80,0xe9,0xbd,0x08, + 0x28,0xfb,0x32,0xe3,0x6e,0x4c,0x50,0xcb,0xf6,0x66,0x03,0x7a,0x8f,0x2e,0x05,0xf4, + 0x57,0x73,0x89,0x6c,0x10,0xae,0xa9,0x75,0xb3,0xdb,0xf4,0xc4,0xcd,0xfc,0x24,0xa0, + 0x38,0xc5,0xc0,0x6d,0x36,0x1b,0xaf,0x84,0xc3,0x8f,0xc2,0x2c,0x03,0xa3,0x6b,0x9d, + 0xce,0x38,0xe0,0x90,0x11,0x1d,0x9c,0x13,0x23,0xd7,0xa7,0x7d,0x3e,0x04,0xb7,0x13, + 0xfa,0xf7,0x40,0x96,0x5a,0x9e,0x18,0x83,0xee,0x37,0x75,0x48,0x9a,0xb5,0x14,0xce, + 0x48,0x07,0x86,0xf9,0xeb,0x74,0x1c,0x60,0xab,0x89,0x6a,0x9d,0x6e,0xae,0x3a,0x53, + 0xed,0x92,0x68,0x76,0x8c,0x21,0xf7,0x9e,0x30,0x75,0x9e,0x0b,0x01,0xab,0x7f,0xa2, + 0x24,0xea,0x82,0x29,0xc2,0x93,0x78,0x00,0x58,0xf2,0x58,0xe9,0x22,0x6d,0x73,0x74, + 0xac,0x42,0x5e,0xf1,0xd2,0xb6,0xe0,0x6e,0x5b,0x26,0x3d,0xf0,0xc6,0xd6,0x6c,0x00, + 0xed,0x26,0xcb,0xf2,0x46,0xa5,0xaf,0x0a,0x01,0x63,0x33,0x68,0x86,0xef,0x8d,0x92, + 0x9b,0x37,0x74,0x9a,0x08,0xf0,0xec,0x1d,0xb0,0x59,0x73,0xa8,0xaf,0xc8,0x17,0x78, + 0xb6,0xcc,0x91,0x06,0xf9,0x2b,0x14,0x53,0xf1,0x52,0x86,0x97,0xb1,0xdc,0x8d,0xd0, + 0xb2,0x55,0xe8,0x01,0x06,0x0f,0xe1,0x79,0xb2,0xd1,0x0a,0x9c,0x4c,0x3e,0x13,0xf3, + 0xc5,0x6f,0xa6,0xd5,0x51,0x66,0xf6,0x46,0x1a,0xf4,0xaa,0xf4,0xf4,0x16,0x8f,0xd5, + 0xea,0x6d,0xad,0xed,0xaa,0x3f,0x9f,0x1d,0xe4,0xde,0x99,0x3d,0x88,0x44,0x35,0x7c, + 0x0a,0xf7,0x9a,0x09,0x0e,0xcc,0x80,0x57,0x0c,0x64,0x15,0x45,0xbe,0xb4,0x2a,0x12, + 0x48,0xa5,0x2d,0xe6,0x12,0xf2,0xe0,0xf8,0x83,0x44,0x96,0x33,0x1a,0x73,0x54,0xf7, + 0xeb,0x91,0xa1,0x94,0x3b,0x5c,0xb3,0xb6,0xcf,0x19,0x84,0x51,0x73,0x5f,0xb5,0x54, + 0x92,0x2f,0x04,0xf0,0x09,0xa5,0x2a,0x15,0xd9,0x93,0x69,0xad,0xc2,0xe4,0x6b,0x09, + 0xbb,0x87,0x1f,0x4f,0x3e,0xc1,0x90,0x5a,0xcd,0x79,0x2b,0x8c,0x81,0xa3,0xd7,0x4b, + 0x31,0x6f,0xf9,0xd2,0x0b,0x93,0xf4,0x88,0x17,0xae,0x61,0x86,0x77,0xdc,0x94,0x51, + 0xf5,0x82,0xec,0x99,0x95,0xf4,0x45,0x52,0xf4,0x24,0x49,0x53,0xcd,0xe8,0x3f,0x11), + .d = chunk_from_chars( + 0x05,0x50,0x8e,0x4a,0xec,0x1e,0x7e,0xad,0xdd,0x40,0x20,0x4c,0x8a,0x3a,0x38,0x90, + 0x48,0x79,0x2b,0x4d,0x1f,0x15,0x0d,0xc5,0x3a,0x10,0x9a,0xc8,0x05,0x5f,0xa9,0x49, + 0x22,0x78,0x2c,0x43,0xc3,0x07,0x12,0x36,0x65,0x8b,0x1c,0x7b,0x5d,0x07,0xb2,0xef, + 0xae,0xef,0x39,0x44,0x9e,0x02,0x80,0x97,0x98,0x0b,0x0a,0x3a,0x20,0x40,0x68,0x47, + 0xed,0x3f,0x79,0x5d,0x03,0xd5,0xfc,0xed,0x2a,0x39,0x08,0x24,0x58,0x9f,0x57,0x1f, + 0x5d,0xbb,0x79,0x5d,0x97,0x7e,0x8b,0x76,0x9a,0xdd,0x7f,0x4e,0xe7,0x65,0x82,0x9d, + 0x59,0xb4,0xb5,0xb5,0x8e,0xf0,0xda,0xa6,0xc8,0x68,0x2f,0x13,0x84,0x49,0xd8,0x7a, + 0xd4,0x30,0x7f,0xc0,0x46,0xcc,0xf6,0x36,0x03,0xef,0xf9,0xee,0xb1,0x48,0x2d,0xd7, + 0x4d,0xa2,0x55,0x98,0x4f,0x2b,0xd3,0x00,0xab,0xa6,0xb9,0x54,0x9d,0x5d,0x6e,0xab, + 0x02,0x7f,0x73,0xa8,0xf9,0x69,0x5a,0x81,0x40,0xdd,0x6c,0x83,0x9e,0xd6,0xf0,0x48, + 0x19,0xc3,0x8e,0xac,0xd8,0x75,0x3b,0xbb,0xbd,0x66,0xf3,0x4d,0xd1,0x6d,0xa4,0x04, + 0x4f,0x93,0xa5,0x00,0xc4,0x80,0x3f,0x33,0xf6,0xbc,0x20,0xbe,0x75,0xd1,0x30,0x25, + 0x46,0x1f,0xc5,0xb7,0x83,0xd9,0xc7,0x64,0x64,0xe8,0x95,0xaa,0x82,0x3f,0x18,0xd7, + 0xfe,0x7b,0xac,0xd8,0x91,0xe7,0xf9,0x60,0xfe,0xd6,0xf7,0xe8,0x77,0x41,0x3d,0x46, + 0x0a,0x1d,0xdc,0x4e,0x47,0xe7,0xde,0xcb,0x3f,0xae,0xf4,0x1c,0x34,0x74,0xfc,0x9b, + 0xb4,0x33,0x03,0xb8,0x02,0x71,0x30,0xb4,0x86,0x21,0x58,0xd0,0x17,0xf0,0x57,0x0b, + 0x51,0x9b,0x3f,0x87,0x55,0xe6,0x8b,0xba,0x10,0x38,0xca,0x25,0x0a,0x1c,0x7c,0xda, + 0x22,0xc3,0xbd,0xa9,0xaa,0xca,0x24,0xa5,0x0a,0x56,0x8c,0xca,0x52,0xab,0x72,0x21, + 0x41,0xbf,0x8b,0xdc,0x07,0x77,0x0e,0x69,0x32,0x96,0x64,0x52,0x72,0x58,0x25,0x90, + 0x32,0x8e,0x4f,0x11,0x69,0xac,0x57,0xab,0xa7,0x74,0xa9,0x81,0x89,0x89,0xc4,0xa0, + 0x69,0x10,0x4a,0x9d,0xcc,0xe8,0x72,0xea,0x45,0xb2,0x39,0x2a,0xf7,0x56,0xd9,0x72, + 0x06,0xac,0x90,0x7c,0x6f,0xde,0x9c,0xe5,0x33,0x08,0x3f,0x54,0x68,0xc3,0x04,0xff, + 0x2e,0x4d,0xef,0xca,0xfb,0xd5,0xe2,0x35,0xa2,0x41,0x56,0xee,0xf6,0x05,0x94,0xe9, + 0xf2,0xf4,0x97,0x40,0xa6,0x0f,0xf3,0x62,0x37,0xc1,0x7e,0x93,0x7c,0x27,0x51,0xf5), + .e = chunk_from_chars(0x09,0x8f,0xfb), + .m = chunk_from_chars( + 0xdd,0xdb,0x05,0xcb,0x9b,0xf1,0x0c,0x14,0xe7,0xdd,0x1e,0x9f,0x3b,0x3d,0x2b,0x32, + 0x9a,0x17,0xf3,0x16,0x76,0x28,0x10,0x11,0xd2,0x78,0x37,0x94,0xa4,0x32,0xbb,0x34, + 0x7d,0xb3,0x52,0x5e,0x6b,0xe1,0x1c,0x47,0x1f,0xbe,0xe1,0x23,0x4b,0x3d,0x9b,0x97, + 0x4e,0x54,0x34,0x70,0x13,0x52,0x90,0x95,0x36,0x73,0xce,0x3a,0x69,0xb1,0xcb,0x57, + 0x17,0xde,0xe8,0x59,0x47,0xf0,0x0e,0x17,0xc2,0x9c,0xef,0x07,0x78,0x26,0x8e,0xb2, + 0x20,0x77,0x01,0x65,0x1f,0x70,0x75,0x2a,0xab,0x7e,0x74,0xf6,0x30,0x6e,0x63,0x24, + 0xf2,0x83,0x4f,0x22,0xf5,0xc6,0xe9,0x6b,0x1a,0x9e,0xce,0xb5,0x8a,0xa0,0x0c,0x6b, + 0x57,0xa8,0xe2,0x5d,0x61,0x29,0xc8,0xb7,0x77,0xc1,0xaf,0x2f,0xbf,0x11,0x8a,0x83), + .s = chunk_from_chars( + 0x11,0x10,0x7c,0x6d,0xa7,0xa7,0x6d,0xba,0x8c,0xe8,0xde,0x3d,0x5c,0x90,0xc6,0xbc, + 0xca,0xf3,0x3f,0xb9,0xa7,0xec,0x4d,0x40,0xa9,0x7f,0xbc,0xde,0xba,0xf6,0xe6,0x5c, + 0x09,0x5b,0x67,0xdf,0xa1,0x71,0xc5,0x4a,0x33,0x64,0xa6,0xde,0xd7,0x18,0xe1,0xbe, + 0xbb,0xb4,0x97,0xd1,0x5f,0x1d,0xe1,0x33,0xb5,0x82,0x97,0xe0,0x8c,0x1b,0x20,0x0f, + 0x84,0x66,0x57,0x9c,0xb8,0xe9,0xc3,0xdb,0xe5,0xf7,0x24,0x28,0x2e,0x5b,0xb2,0x85, + 0x70,0xa4,0x1d,0x8d,0x35,0xad,0x6e,0x13,0x1e,0xb2,0xa1,0xd3,0x29,0xd8,0xb0,0x8d, + 0x10,0xfa,0xf7,0x6f,0xdb,0xe7,0x42,0x17,0xa2,0x76,0x93,0x6b,0x15,0x93,0xb1,0xd3, + 0xa1,0x18,0x91,0xd1,0x86,0x41,0xc0,0xbe,0xe0,0xc3,0x7e,0x68,0xbf,0x75,0xad,0xd9, + 0xe7,0xdc,0xf3,0xb9,0xb4,0x41,0x3f,0xa3,0xec,0x90,0x67,0x60,0x38,0x16,0x1f,0x68, + 0xfe,0x3a,0xf6,0x4d,0x69,0xa1,0x6f,0xc2,0x2c,0x8e,0xa7,0xc0,0x6f,0x86,0xbc,0xbb, + 0xa6,0x67,0x9b,0x6f,0xa4,0x58,0x58,0xc8,0x7e,0xc2,0xda,0x88,0x96,0x92,0x0d,0xfd, + 0x77,0xfd,0x16,0xd9,0x53,0xe9,0x84,0x62,0x42,0x03,0xcc,0x21,0x78,0xd2,0x20,0xfa, + 0x47,0xba,0x9a,0x6d,0xdb,0xe7,0x59,0xdb,0x3d,0xc4,0x22,0x4c,0x7c,0xcb,0x09,0xb2, + 0x9e,0x20,0x07,0x22,0xa7,0x45,0xd3,0x32,0x92,0x09,0x32,0x3a,0x08,0x2a,0x3f,0x7a, + 0x2c,0x62,0x4b,0x40,0x53,0xfa,0x42,0x18,0x3d,0xd2,0x2b,0x7f,0x49,0xc4,0x56,0x9f, + 0x8c,0x3d,0x49,0x51,0x57,0x53,0xb9,0x93,0xef,0x81,0x22,0xc3,0x69,0x85,0xe9,0x6a, + 0x32,0x89,0xaf,0x8d,0x6e,0x22,0x93,0x4b,0xbc,0xf7,0x55,0x1b,0x15,0x70,0x92,0x31, + 0x58,0xd1,0xb5,0x54,0xc1,0x3f,0x4f,0xe0,0x8f,0xaf,0xf4,0x89,0x8b,0xe9,0x2f,0x6e, + 0x66,0xff,0x74,0xa8,0x0b,0x13,0x70,0x3e,0x0d,0x26,0x65,0xdb,0x71,0x5c,0x55,0x9e, + 0x68,0xbe,0xad,0x6f,0x6b,0x75,0x93,0xf0,0x2e,0xfb,0xd6,0x8c,0x67,0x62,0x56,0xae, + 0x86,0x95,0xa5,0x1d,0xab,0x90,0xe3,0x29,0x86,0x69,0x7f,0x4e,0xde,0x07,0x66,0x28, + 0x17,0x6c,0xa6,0xb6,0x51,0x91,0x8d,0x74,0x9f,0xd0,0x1a,0x16,0xa8,0x7a,0xda,0xad, + 0x4a,0xae,0x93,0xb8,0xc0,0x5d,0x92,0x56,0x5e,0xc6,0x82,0x17,0xaa,0xab,0x96,0x76, + 0x23,0xda,0x3e,0x5a,0x50,0x95,0x64,0x2c,0xc1,0x7d,0x73,0x0a,0x6d,0x95,0x9c,0xfa), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xa3,0xf2,0x23,0x5a,0xd2,0x05,0x3b,0x4c,0x83,0xfa,0x38,0xf8,0x28,0x4e,0xd8,0x05, + 0x42,0x16,0x21,0xfe,0x98,0x84,0x5f,0xb0,0x1b,0x68,0x9f,0x5b,0x82,0xb3,0x25,0x11, + 0xb6,0xd1,0x61,0x73,0xe7,0xb4,0x0a,0x66,0xa3,0xa9,0x99,0xc1,0x89,0xbe,0xb9,0xe0, + 0x68,0x22,0x15,0x0a,0xc8,0xbe,0x67,0x71,0x86,0x37,0x0c,0x82,0x3b,0x52,0x77,0xd9, + 0x09,0xde,0x07,0x56,0x4e,0x28,0x1c,0xca,0x2f,0x13,0x87,0x3d,0x9d,0x07,0xb7,0xbd, + 0x85,0xa2,0xb9,0xac,0x66,0xf4,0xce,0x4f,0x5e,0x38,0xb8,0xe9,0xee,0xbe,0xc0,0x4c, + 0x8c,0xaf,0x31,0x1e,0x37,0x5d,0x69,0xe8,0x08,0x51,0xd5,0x59,0xb8,0xe9,0x0e,0x85, + 0xba,0x6b,0x96,0x47,0x67,0x90,0xf7,0x27,0xc2,0x5a,0xa8,0x16,0x30,0x62,0xec,0x85, + 0x43,0xfc,0xc7,0x75,0x9b,0xe6,0x2c,0x77,0x68,0xec,0xc3,0x7f,0x34,0x0b,0xb0,0x61, + 0x02,0x76,0x2b,0xf0,0x44,0x1c,0xa1,0xaa,0x2c,0x7a,0x81,0xbf,0x37,0xdc,0x8b,0x27, + 0x43,0x9d,0x3a,0xbb,0xa9,0x38,0x12,0xc9,0xbb,0x44,0xfe,0x4d,0x6a,0x94,0xba,0xae, + 0x70,0x93,0x79,0xf5,0xce,0x5d,0x0c,0x8f,0x81,0xd0,0x00,0x86,0xb9,0xca,0xa3,0x02, + 0x68,0x19,0x58,0x8f,0x49,0x1b,0x52,0x58,0x07,0x89,0x9c,0xda,0xb3,0x3d,0x8e,0x99, + 0x21,0x50,0xd2,0xb1,0x05,0xd3,0xaa,0xb6,0x15,0x21,0x7c,0x6a,0x3d,0x74,0x08,0x31, + 0xc7,0xdc,0x76,0xfa,0xab,0xd9,0xc9,0xb9,0x81,0x7e,0xad,0x0b,0x49,0x45,0x66,0xde, + 0x14,0x33,0xff,0xf5,0xba,0x46,0x04,0xc6,0xb8,0x44,0x6f,0x6f,0xc3,0x5e,0x74,0x6a, + 0xff,0x84,0xff,0x8b,0xd7,0x50,0x04,0x10,0xd1,0x0e,0x82,0xbf,0x4c,0x90,0x36,0x48, + 0x9d,0xe4,0x7d,0xee,0x9a,0x32,0x7a,0x5c,0x45,0x10,0xd8,0x56,0x13,0x21,0xb9,0x1d, + 0x55,0x55,0x9a,0x4c,0xba,0x85,0xe0,0xc3,0x61,0x76,0x70,0x84,0xb2,0x52,0x17,0xe8, + 0xa6,0x3c,0x4e,0x15,0x1a,0x1e,0x88,0x68,0x9f,0xee,0xcf,0xfd,0x16,0xfa,0x0a,0x65, + 0xae,0x41,0xd2,0xba,0xbc,0xa9,0x9c,0xf1,0xb9,0x59,0xc3,0xc0,0x76,0xc0,0xf7,0x59, + 0x74,0x14,0x6f,0x2c,0xc4,0x94,0x12,0x6f,0xbe,0xca,0xd4,0x21,0x7b,0x9a,0xaa,0x00, + 0xf1,0x69,0xfa,0x51,0x25,0x27,0xff,0x5a,0x0b,0x50,0xda,0x46,0xd6,0xbe,0x87,0x0e, + 0xce,0xf2,0xaf,0x7a,0x1e,0x6c,0x45,0x56,0xf6,0xf7,0xa0,0xa0,0x0b,0x9f,0x47,0xcb), + .d = chunk_from_chars( + 0x3c,0x27,0x68,0x73,0x67,0xeb,0xd2,0x14,0x0b,0x4f,0x4f,0x20,0x24,0xae,0x38,0xe3, + 0xac,0xde,0xe1,0xfa,0x8a,0xb7,0xce,0xa9,0x91,0x4e,0xec,0xb5,0x80,0x11,0x30,0x15, + 0x1b,0x87,0x9f,0x7d,0xd9,0xc8,0xc5,0x23,0xfb,0xeb,0x16,0xea,0x4c,0x35,0x8b,0xfb, + 0x2b,0x6e,0x49,0x2b,0x46,0x66,0xb4,0xff,0x3f,0x2d,0xce,0xae,0x50,0xc3,0x3e,0xd5, + 0xb2,0x84,0x45,0x40,0x52,0x15,0xb6,0x4d,0xd8,0xd9,0x20,0x06,0xe6,0x81,0xa4,0x5f, + 0x78,0x98,0x34,0x31,0xc0,0xdb,0x66,0x4a,0x78,0x75,0x59,0x47,0x9a,0x3a,0x27,0x9b, + 0xd6,0xab,0x71,0xf9,0xd1,0x5f,0x01,0x09,0x37,0x05,0x47,0xcb,0x12,0xb7,0xaa,0x90, + 0xa8,0x4c,0x1d,0x16,0x51,0xb9,0xbe,0xe5,0xd2,0xe6,0x22,0x60,0x11,0x49,0x18,0x97, + 0xeb,0xf8,0x91,0xfa,0x67,0xcd,0x19,0xfa,0x4f,0xed,0x77,0xcc,0xd5,0xf9,0x63,0x43, + 0x74,0x3d,0x8b,0xd2,0x2e,0x46,0xda,0xbd,0xab,0x46,0x9a,0xdc,0x46,0x4a,0xcf,0x29, + 0xc3,0xa0,0x8f,0x57,0x48,0xf4,0xb0,0x0b,0xb1,0x55,0x87,0xee,0x44,0x4b,0x76,0x5c, + 0x06,0x9d,0xe3,0xe7,0x1d,0x09,0xe2,0x4a,0x69,0xb6,0x27,0xac,0x6f,0xc3,0x49,0x7d, + 0x9d,0x32,0xd7,0x97,0x1f,0xc4,0x47,0x1d,0x5d,0xd4,0x39,0x65,0x2d,0x73,0x93,0xfa, + 0x3b,0x43,0x4b,0x52,0x54,0xa4,0xcb,0x10,0x64,0xde,0xa1,0xd1,0xba,0x41,0x18,0x1a, + 0x6c,0x36,0x72,0xe3,0xe0,0xf6,0xa2,0x84,0xf2,0x31,0x21,0xdc,0x7a,0x14,0xa4,0xc7, + 0xa7,0x6e,0xbc,0x2b,0xfd,0x09,0xcb,0x69,0x84,0x1c,0xa9,0x59,0x07,0xcc,0x30,0xc9, + 0x4e,0x69,0x27,0x51,0x1c,0x72,0xe9,0x7d,0xd3,0x33,0x0b,0xb4,0x56,0x48,0x8d,0x91, + 0x9f,0xaf,0xd6,0xd8,0xf1,0x97,0x59,0xab,0x4c,0x37,0x46,0x63,0x14,0x75,0x1e,0x53, + 0xab,0x13,0x92,0x72,0xe8,0xd6,0x7c,0x0d,0xc0,0x42,0x49,0xd3,0x00,0xee,0x63,0x5a, + 0x20,0xa4,0xf6,0x5e,0xd7,0xcf,0xb3,0x0d,0x18,0x13,0xd0,0xb7,0x58,0x58,0xf2,0xf8, + 0xf9,0x10,0xc0,0x5b,0xcc,0x20,0x13,0xba,0x5c,0x93,0x21,0xc4,0x95,0xe1,0x41,0xa6, + 0x17,0xfa,0x73,0x18,0x19,0x18,0x90,0x9d,0xab,0xc3,0xf9,0xde,0x59,0x4a,0x19,0x33, + 0x12,0xe1,0x47,0x72,0xb4,0xa5,0x9b,0x4f,0xb7,0x2e,0x73,0x15,0xc0,0x55,0x23,0x6a, + 0x78,0x9e,0xb4,0xd2,0x24,0x60,0x97,0x45,0x72,0x1e,0x73,0x03,0x1c,0x91,0x13,0xe7), + .e = chunk_from_chars(0xb3,0xf5,0x7f), + .m = chunk_from_chars( + 0xbe,0x2f,0x3e,0x1d,0xc8,0xa3,0x71,0x15,0x70,0x40,0x1b,0xd5,0x35,0x18,0x54,0x26, + 0x94,0x4d,0x09,0x4e,0x84,0x81,0xa1,0x2a,0x43,0x8d,0xe0,0x7d,0x54,0x76,0x0c,0x88, + 0xc9,0x9d,0x4f,0xdb,0xbe,0x35,0x5d,0x6a,0x26,0xfa,0x56,0xe3,0xca,0x20,0xee,0x3f, + 0x8e,0x8a,0xcb,0x98,0xf6,0x3d,0x2f,0x3a,0xea,0x14,0xd6,0xfc,0xb6,0xb5,0x22,0xd1, + 0x55,0xc3,0x75,0x9a,0xef,0x56,0xde,0x3e,0xa0,0xa8,0xf9,0xfd,0x7b,0x11,0x10,0x01, + 0xcf,0x35,0x86,0x36,0xa8,0x7c,0x76,0x5c,0x99,0xc2,0x97,0x5b,0xb9,0x50,0x63,0xd6, + 0xec,0x0b,0x78,0x02,0x64,0xec,0x3e,0xb9,0x67,0xb0,0xca,0xca,0x52,0xd1,0x02,0x94, + 0xde,0xb4,0x02,0xd3,0xa2,0x24,0xbf,0xb9,0xd9,0xff,0xea,0x41,0x66,0x2f,0x18,0xc0), + .s = chunk_from_chars( + 0x78,0x7c,0xdd,0x6e,0x1d,0x4f,0xdf,0x9a,0x0d,0x9f,0x96,0x5e,0xb8,0x57,0x25,0x23, + 0x2a,0x9e,0xfc,0xc1,0x2a,0xbf,0xa1,0xef,0x25,0xa8,0x1e,0x09,0x83,0x11,0x1d,0x90, + 0x00,0xd4,0x94,0xfc,0x7d,0x32,0x01,0xeb,0x3b,0xba,0x32,0x73,0x02,0x72,0x7f,0x70, + 0x86,0x14,0x7a,0x75,0x5b,0x48,0x27,0x03,0x0c,0x72,0x76,0x53,0x6f,0x42,0x55,0x93, + 0xab,0x2e,0x91,0x27,0xa1,0x49,0xe7,0x54,0xde,0x7a,0xd7,0x7f,0x8c,0x20,0x43,0x26, + 0x7d,0xb4,0x9f,0x8a,0x35,0x03,0x1d,0x83,0xf1,0x3d,0x14,0x0d,0x5d,0xf4,0xd4,0x24, + 0xb4,0x74,0x54,0x04,0x1a,0x23,0xb9,0x2f,0xf6,0x81,0x8e,0x74,0x9d,0x65,0xd0,0x1f, + 0xc5,0x0b,0xeb,0xf6,0x91,0x52,0xf3,0xf5,0xfc,0xb4,0x87,0x3b,0x10,0x36,0x21,0x9e, + 0x22,0xb1,0xe7,0x4f,0x83,0x68,0xc8,0xc5,0x01,0xce,0x65,0xf2,0xc9,0x29,0xd9,0x0a, + 0x8e,0xc8,0x99,0x63,0x0e,0x80,0x25,0x47,0xa7,0xca,0x6e,0xf1,0x8a,0xb3,0xcb,0x3e, + 0xb4,0xa6,0x91,0xee,0x68,0xae,0xbe,0xaf,0x1b,0x9c,0x05,0x5a,0xd1,0x22,0x18,0x03, + 0x9c,0xf4,0x80,0xcd,0x8d,0x29,0x43,0x32,0xc5,0xe1,0x6e,0xbb,0xe6,0xaf,0x11,0xf8, + 0xf4,0xbf,0x49,0xf9,0xb4,0xed,0x2f,0x51,0x11,0x26,0xae,0x78,0x0a,0x3b,0x78,0x4b, + 0xe8,0xf4,0x42,0x6a,0xbd,0x17,0xf8,0x60,0x00,0x74,0x48,0x3f,0x2a,0xf3,0xb7,0x1a, + 0x89,0x64,0xc6,0xe0,0xfa,0x00,0x04,0x9a,0x1d,0x94,0x0d,0x34,0xcc,0x08,0x83,0x9e, + 0x0c,0x59,0x25,0x3d,0x99,0xe9,0x0d,0x17,0x87,0x1d,0x48,0x96,0x74,0x69,0x56,0x63, + 0x62,0x61,0x66,0xd3,0x6f,0xf9,0x1d,0x8c,0x22,0x99,0xa2,0xf0,0x51,0xea,0xe2,0xd6, + 0x0e,0x8e,0xd0,0xbc,0x3f,0xac,0x1e,0x49,0x0b,0x47,0x0c,0x12,0xf3,0xd6,0x97,0xf6, + 0xfb,0xfd,0x88,0x0d,0xe2,0xe9,0x0e,0x9f,0xcb,0xd4,0x85,0xfa,0x33,0x93,0x19,0x83, + 0x72,0xfb,0x01,0xe4,0xce,0xc5,0xc1,0x59,0x17,0xec,0xdd,0x42,0xe5,0x7c,0x43,0xec, + 0xf5,0x5a,0x8c,0x0e,0xcb,0xdc,0xef,0x1b,0xce,0x4e,0x36,0xd9,0x6d,0x46,0xb1,0x12, + 0x57,0x0b,0x53,0xf8,0x2f,0x3d,0x20,0x64,0xb0,0x8a,0xc7,0x86,0x13,0x67,0x0a,0x28, + 0xea,0x69,0xd7,0x9c,0x71,0x7e,0xb1,0xc2,0x94,0x09,0x0d,0xbd,0x56,0x1f,0xa6,0xe5, + 0x04,0xd0,0x9d,0x26,0x57,0x24,0xe3,0x7a,0x2d,0xc6,0xf4,0x45,0xf6,0xf5,0x28,0xc9), + }, +}; + +START_TEST(test_sign_pss_no_salt) +{ + private_key_t *privkey; + public_key_t *pubkey; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pss_sign_ns[_i].n, + BUILD_RSA_PUB_EXP, pss_sign_ns[_i].e, + BUILD_RSA_PRIV_EXP, pss_sign_ns[_i].d, BUILD_END); + ck_assert(privkey != NULL); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey != NULL); + fail_unless(privkey->sign(privkey, SIGN_RSA_EMSA_PSS, + &pss_sign_ns[_i].params, pss_sign_ns[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_ns[_i].s, sig); + fail_unless(pubkey->verify(pubkey, SIGN_RSA_EMSA_PSS, + &pss_sign_ns[_i].params, pss_sign_ns[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); + pubkey->destroy(pubkey); + privkey->destroy(privkey); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 (only SHA-256) + */ +static struct { + signature_scheme_t scheme; + chunk_t n; + struct { + bool exp; + chunk_t e; + chunk_t m; + chunk_t s; + } tests[6]; +} pkcs15_verify[] = { +{ + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .n = chunk_from_chars( + 0xc4,0x7a,0xba,0xcc,0x2a,0x84,0xd5,0x6f,0x36,0x14,0xd9,0x2f,0xd6,0x2e,0xd3,0x6d, + 0xdd,0xe4,0x59,0x66,0x4b,0x93,0x01,0xdc,0xd1,0xd6,0x17,0x81,0xcf,0xcc,0x02,0x6b, + 0xcb,0x23,0x99,0xbe,0xe7,0xe7,0x56,0x81,0xa8,0x0b,0x7b,0xf5,0x00,0xe2,0xd0,0x8c, + 0xea,0xe1,0xc4,0x2e,0xc0,0xb7,0x07,0x92,0x7f,0x2b,0x2f,0xe9,0x2a,0xe8,0x52,0x08, + 0x7d,0x25,0xf1,0xd2,0x60,0xcc,0x74,0x90,0x5e,0xe5,0xf9,0xb2,0x54,0xed,0x05,0x49, + 0x4a,0x9f,0xe0,0x67,0x32,0xc3,0x68,0x09,0x92,0xdd,0x6f,0x0d,0xc6,0x34,0x56,0x8d, + 0x11,0x54,0x2a,0x70,0x5f,0x83,0xae,0x96,0xd2,0xa4,0x97,0x63,0xd5,0xfb,0xb2,0x43, + 0x98,0xed,0xf3,0x70,0x2b,0xc9,0x4b,0xc1,0x68,0x19,0x01,0x66,0x49,0x2b,0x86,0x71, + 0xde,0x87,0x4b,0xb9,0xce,0xcb,0x05,0x8c,0x6c,0x83,0x44,0xaa,0x8c,0x93,0x75,0x4d, + 0x6e,0xff,0xcd,0x44,0xa4,0x1e,0xd7,0xde,0x0a,0x9d,0xcd,0x91,0x44,0x43,0x7f,0x21, + 0x2b,0x18,0x88,0x1d,0x04,0x2d,0x33,0x1a,0x46,0x18,0xa9,0xe6,0x30,0xef,0x9b,0xb6, + 0x63,0x05,0xe4,0xfd,0xf8,0xf0,0x39,0x1b,0x3b,0x23,0x13,0xfe,0x54,0x9f,0x01,0x89, + 0xff,0x96,0x8b,0x92,0xf3,0x3c,0x26,0x6a,0x4b,0xc2,0xcf,0xfc,0x89,0x7d,0x19,0x37, + 0xee,0xb9,0xe4,0x06,0xf5,0xd0,0xea,0xa7,0xa1,0x47,0x82,0xe7,0x6a,0xf3,0xfc,0xe9, + 0x8f,0x54,0xed,0x23,0x7b,0x4a,0x04,0xa4,0x15,0x9a,0x5f,0x62,0x50,0xa2,0x96,0xa9, + 0x02,0x88,0x02,0x04,0xe6,0x1d,0x89,0x1c,0x4d,0xa2,0x9f,0x2d,0x65,0xf3,0x4c,0xbb), + .tests = { + { + .exp = TRUE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0x95,0x12,0x3c,0x8d,0x1b,0x23,0x65,0x40,0xb8,0x69,0x76,0xa1,0x1c,0xea,0x31,0xf8, + 0xbd,0x4e,0x6c,0x54,0xc2,0x35,0x14,0x7d,0x20,0xce,0x72,0x2b,0x03,0xa6,0xad,0x75, + 0x6f,0xbd,0x91,0x8c,0x27,0xdf,0x8e,0xa9,0xce,0x31,0x04,0x44,0x4c,0x0b,0xbe,0x87, + 0x73,0x05,0xbc,0x02,0xe3,0x55,0x35,0xa0,0x2a,0x58,0xdc,0xda,0x30,0x6e,0x63,0x2a, + 0xd3,0x0b,0x3d,0xc3,0xce,0x0b,0xa9,0x7f,0xdf,0x46,0xec,0x19,0x29,0x65,0xdd,0x9c, + 0xd7,0xf4,0xa7,0x1b,0x02,0xb8,0xcb,0xa3,0xd4,0x42,0x64,0x6e,0xee,0xc4,0xaf,0x59, + 0x08,0x24,0xca,0x98,0xd7,0x4f,0xbc,0xa9,0x34,0xd0,0xb6,0x86,0x7a,0xa1,0x99,0x1f, + 0x30,0x40,0xb7,0x07,0xe8,0x06,0xde,0x6e,0x66,0xb5,0x93,0x4f,0x05,0x50,0x9b,0xea), + .s = chunk_from_chars( + 0x51,0x26,0x5d,0x96,0xf1,0x1a,0xb3,0x38,0x76,0x28,0x91,0xcb,0x29,0xbf,0x3f,0x1d, + 0x2b,0x33,0x05,0x10,0x70,0x63,0xf5,0xf3,0x24,0x5a,0xf3,0x76,0xdf,0xcc,0x70,0x27, + 0xd3,0x93,0x65,0xde,0x70,0xa3,0x1d,0xb0,0x5e,0x9e,0x10,0xeb,0x61,0x48,0xcb,0x7f, + 0x64,0x25,0xf0,0xc9,0x3c,0x4f,0xb0,0xe2,0x29,0x1a,0xdb,0xd2,0x2c,0x77,0x65,0x6a, + 0xfc,0x19,0x68,0x58,0xa1,0x1e,0x1c,0x67,0x0d,0x9e,0xeb,0x59,0x26,0x13,0xe6,0x9e, + 0xb4,0xf3,0xaa,0x50,0x17,0x30,0x74,0x3a,0xc4,0x46,0x44,0x86,0xc7,0xae,0x68,0xfd, + 0x50,0x9e,0x89,0x6f,0x63,0x88,0x4e,0x94,0x24,0xf6,0x9c,0x1c,0x53,0x97,0x95,0x9f, + 0x1e,0x52,0xa3,0x68,0x66,0x7a,0x59,0x8a,0x1f,0xc9,0x01,0x25,0x27,0x3d,0x93,0x41, + 0x29,0x5d,0x2f,0x8e,0x1c,0xc4,0x96,0x9b,0xf2,0x28,0xc8,0x60,0xe0,0x7a,0x35,0x46, + 0xbe,0x2e,0xed,0xa1,0xcd,0xe4,0x8e,0xe9,0x4d,0x06,0x28,0x01,0xfe,0x66,0x6e,0x4a, + 0x7a,0xe8,0xcb,0x9c,0xd7,0x92,0x62,0xc0,0x17,0xb0,0x81,0xaf,0x87,0x4f,0xf0,0x04, + 0x53,0xca,0x43,0xe3,0x4e,0xfd,0xb4,0x3f,0xff,0xb0,0xbb,0x42,0xa4,0xe2,0xd3,0x2a, + 0x5e,0x5c,0xc9,0xe8,0x54,0x6a,0x22,0x1f,0xe9,0x30,0x25,0x0e,0x5f,0x53,0x33,0xe0, + 0xef,0xe5,0x8f,0xfe,0xbf,0x19,0x36,0x9a,0x3b,0x8a,0xe5,0xa6,0x7f,0x6a,0x04,0x8b, + 0xc9,0xef,0x91,0x5b,0xda,0x25,0x16,0x07,0x29,0xb5,0x08,0x66,0x7a,0xda,0x84,0xa0, + 0xc2,0x7e,0x7e,0x26,0xcf,0x2a,0xbc,0xa4,0x13,0xe5,0xe4,0x69,0x3f,0x4a,0x94,0x05), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xf8,0x9f,0xd2,0xf6,0xc4,0x5a,0x8b,0x50,0x66,0xa6,0x51,0x41,0x0b,0x8e,0x53,0x4b, + 0xfe,0xc0,0xd9,0xa3,0x6f,0x3e,0x2b,0x88,0x74,0x57,0xaf,0xd4,0x4d,0xd6,0x51,0xd1, + 0xec,0x79,0x27,0x4d,0xb5,0xa4,0x55,0xf1,0x82,0x57,0x2f,0xce,0xea,0x5e,0x9e,0x39, + 0xc3,0xc7,0xc5,0xd9,0xe5,0x99,0xe4,0xfe,0x31,0xc3,0x7c,0x34,0xd2,0x53,0xb4,0x19, + 0xc3,0xe8,0xfb,0x6b,0x91,0x6a,0xef,0x65,0x63,0xf8,0x7d,0x4c,0x37,0x22,0x4a,0x45, + 0x6e,0x59,0x52,0x69,0x8b,0xa3,0xd0,0x1b,0x38,0x94,0x5d,0x99,0x8a,0x79,0x5b,0xd2, + 0x85,0xd6,0x94,0x78,0xe3,0x13,0x1f,0x55,0x11,0x72,0x84,0xe2,0x7b,0x44,0x1f,0x16, + 0x09,0x5d,0xca,0x7c,0xe9,0xc5,0xb6,0x88,0x90,0xb0,0x9a,0x2b,0xfb,0xb0,0x10,0xa5), + .s = chunk_from_chars( + 0xba,0x48,0x53,0x87,0x08,0x51,0x2d,0x45,0xc0,0xed,0xca,0xc5,0x7a,0x9b,0x4f,0xb6, + 0x37,0xe9,0x72,0x1f,0x72,0x00,0x3c,0x60,0xf1,0x3f,0x5c,0x9a,0x36,0xc9,0x68,0xce, + 0xf9,0xbe,0x8f,0x54,0x66,0x54,0x18,0x14,0x1c,0x3d,0x9e,0xcc,0x02,0xa5,0xbf,0x95, + 0x2c,0xfc,0x05,0x5f,0xb5,0x1e,0x18,0x70,0x5e,0x9d,0x88,0x50,0xf4,0xe1,0xf5,0xa3, + 0x44,0xaf,0x55,0x0d,0xe8,0x4f,0xfd,0x08,0x05,0xe2,0x7e,0x55,0x7f,0x6a,0xa5,0x0d, + 0x26,0x45,0x31,0x4c,0x64,0xc1,0xc7,0x1a,0xa6,0xbb,0x44,0xfa,0xf8,0xf2,0x9c,0xa6, + 0x57,0x8e,0x24,0x41,0xd4,0x51,0x0e,0x36,0x05,0x2f,0x46,0x55,0x1d,0xf3,0x41,0xb2, + 0xdc,0xf4,0x3f,0x76,0x1f,0x08,0xb9,0x46,0xca,0x0b,0x70,0x81,0xda,0xdb,0xb8,0x8e, + 0x95,0x5e,0x82,0x0f,0xd7,0xf6,0x57,0xc4,0xdd,0x9f,0x45,0x54,0xd1,0x67,0xdd,0x7c, + 0x9a,0x48,0x7e,0xd4,0x1c,0xed,0x2b,0x40,0x06,0x80,0x98,0xde,0xed,0xc9,0x51,0x06, + 0x0f,0xaf,0x7e,0x15,0xb1,0xf0,0xf8,0x0a,0xe6,0x7f,0xf2,0xee,0x28,0xa2,0x38,0xd8, + 0x0b,0xf7,0x2d,0xd7,0x1c,0x8d,0x95,0xc7,0x9b,0xc1,0x56,0x11,0x4e,0xce,0x8e,0xc8, + 0x37,0x57,0x3a,0x4b,0x66,0x89,0x8d,0x45,0xb4,0x5a,0x5e,0xac,0xd0,0xb0,0xe4,0x14, + 0x47,0xd8,0xfa,0x08,0xa3,0x67,0xf4,0x37,0x64,0x5e,0x50,0xc9,0x92,0x0b,0x88,0xa1, + 0x6b,0xc0,0x88,0x01,0x47,0xac,0xfb,0x9a,0x79,0xde,0x9e,0x35,0x1b,0x3f,0xa0,0x0b, + 0x3f,0x4e,0x9f,0x18,0x2f,0x45,0x55,0x3d,0xff,0xca,0x55,0xe3,0x93,0xc5,0xea,0xb6), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0x91,0x5c,0x5e,0x4c,0x16,0xac,0xfa,0x0f,0x49,0xde,0x43,0xd6,0x49,0x1f,0x00,0x60, + 0xa9,0x44,0x03,0x44,0x75,0xba,0x51,0x85,0x72,0xc0,0x83,0x66,0xa8,0xd3,0x6c,0x7f, + 0x1e,0x6a,0xfc,0x11,0xe5,0xe4,0x64,0x97,0x57,0xbf,0x7b,0x9d,0xa1,0x0a,0x61,0xd5, + 0x7f,0x1d,0x62,0x68,0x47,0x87,0x1d,0x8a,0x29,0x48,0xe5,0x51,0xb5,0x41,0x67,0xc7, + 0x9d,0xe8,0x8d,0x3e,0xbd,0x40,0xa3,0xe3,0x58,0x09,0xb9,0x96,0xa5,0x33,0x48,0xf9, + 0x8a,0x99,0x18,0xc7,0xa7,0xec,0x60,0x68,0x96,0xed,0x30,0xc2,0x71,0xe0,0x0c,0x51, + 0x95,0x3d,0xd9,0x7a,0xa6,0xa8,0xfe,0x1c,0xd4,0x23,0xc3,0x69,0x5c,0x83,0xfc,0xf4, + 0x51,0x20,0xec,0x0a,0x9c,0xd1,0x64,0x46,0x42,0x18,0x2b,0x60,0xe5,0x99,0xa2,0x46), + .s = chunk_from_chars( + 0x3d,0x57,0xea,0x59,0x61,0xdb,0x8f,0xc1,0x44,0x30,0x1c,0xa4,0x27,0x8f,0x79,0x99, + 0x11,0x22,0x9d,0x86,0x5e,0xa3,0xe9,0x92,0xc7,0xfb,0xc4,0xd0,0x3c,0x65,0x51,0x72, + 0x9e,0x26,0x03,0x4e,0x95,0xdd,0x71,0xda,0x31,0x23,0x40,0xe4,0x05,0x1c,0x9d,0xd9, + 0xb1,0x2f,0x77,0x00,0xa8,0x21,0xfe,0x3b,0x7c,0x37,0x78,0x5d,0x51,0x06,0x35,0x0b, + 0x66,0x7a,0xc2,0x55,0xa5,0x7c,0x13,0xda,0x58,0x42,0xd9,0x0b,0xca,0xde,0xa9,0xe6, + 0xb1,0xf7,0x20,0xc6,0x07,0xd6,0x89,0x3a,0x2c,0xaa,0x3c,0x5f,0x3c,0x40,0x74,0xe9, + 0x14,0x45,0x1a,0x45,0x38,0x0a,0x76,0x7c,0x29,0x1a,0x67,0xca,0xc3,0xf1,0xca,0xb1, + 0xfb,0xd0,0x5a,0xdc,0x37,0x03,0x68,0x56,0xa8,0x40,0x4e,0x7c,0xea,0x36,0x54,0x01, + 0x94,0x66,0xde,0x44,0x9a,0xd6,0xe9,0x2b,0x27,0x25,0x4f,0x3d,0x25,0x94,0x9b,0x1b, + 0x86,0x00,0x65,0x40,0x64,0x55,0xa1,0x3d,0xb7,0xc5,0xfe,0x25,0xd1,0xaf,0x7a,0x84, + 0xcd,0xdf,0x77,0x92,0xc6,0x4e,0x16,0x26,0x0c,0x95,0x0d,0x60,0xbd,0x86,0xd0,0x05, + 0x92,0x41,0x48,0xad,0x09,0x7c,0x12,0x6b,0x84,0x94,0x7a,0xb6,0xe8,0x9d,0x48,0xf6, + 0x1e,0x71,0x1d,0x62,0x52,0x2b,0x6e,0x48,0xf1,0x61,0x86,0xd1,0x33,0x9e,0x6a,0xb3, + 0xf5,0x8c,0x35,0x9e,0xb2,0x4c,0xb6,0x80,0x43,0x73,0x75,0x91,0xcd,0x7d,0x93,0x90, + 0xa4,0x68,0xc0,0x02,0x2b,0x3b,0x25,0x3b,0xe5,0x2f,0x1a,0x7f,0xc4,0x08,0xf8,0x4e, + 0x9f,0xfb,0x4c,0x34,0xfa,0x9e,0x01,0x60,0x58,0x51,0xd6,0x58,0x3a,0xa1,0x30,0x32), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x07,0x48,0x5b), + .m = chunk_from_chars( + 0x03,0xd2,0xf0,0x69,0x35,0x17,0xcf,0xfb,0x2b,0x72,0x4c,0x1f,0x30,0x50,0x2c,0x53, + 0x59,0xc0,0x51,0xc1,0xbc,0xd8,0x8d,0xc1,0xdd,0x54,0xb8,0x9e,0x69,0x81,0x00,0x9d, + 0x27,0x5a,0x81,0x3b,0x2b,0xf0,0x16,0xb7,0x4d,0x0f,0x6e,0xd0,0xd9,0x1e,0x62,0xd0, + 0x88,0x47,0x85,0xc9,0xaf,0xd8,0xfd,0x1f,0xb7,0xe9,0x92,0x46,0xcd,0x40,0x05,0xcd, + 0xda,0x71,0xa3,0x9c,0xb6,0x49,0x19,0x7a,0x99,0x6d,0x8a,0xd2,0xd2,0x3f,0xdf,0xb6, + 0xbb,0x01,0x5f,0x24,0xec,0x3d,0x7f,0x88,0xaf,0x64,0xfb,0x83,0xb4,0xb5,0x25,0xeb, + 0x06,0x60,0x7d,0x13,0x3e,0xec,0x83,0x4c,0xf7,0xd6,0xc9,0xab,0x81,0x7b,0x4c,0x0d, + 0xda,0x37,0x04,0x59,0xd9,0xcf,0xba,0x05,0xad,0x0c,0x1a,0xdc,0x86,0xa9,0x09,0xfe), + .s = chunk_from_chars( + 0x51,0x1a,0xbd,0x82,0x21,0x8c,0xab,0x34,0x49,0x79,0xb2,0x88,0x7b,0x02,0x60,0x0d, + 0x24,0x27,0xf1,0xeb,0x12,0xac,0x01,0xd9,0x76,0x84,0xc2,0xa4,0x43,0xa9,0x27,0x28, + 0x34,0xc3,0xf7,0x9c,0xde,0xd0,0x7a,0x39,0xdb,0xee,0x37,0x70,0xdd,0xe8,0x27,0xa7, + 0x4d,0xc9,0x94,0xb1,0x7b,0xfd,0x8a,0x26,0xd0,0x7b,0x23,0x9d,0x26,0xd5,0x8c,0x42, + 0xf7,0x9d,0x56,0x02,0x64,0xc3,0x1b,0x7e,0x1c,0x3d,0xdd,0xef,0x6d,0x75,0x56,0xf2, + 0x28,0xc3,0x94,0x41,0x4f,0x4c,0xec,0x56,0x1c,0x3d,0xa2,0x68,0x6a,0x8e,0xeb,0xec, + 0x77,0x02,0xf3,0x28,0x50,0x80,0x9a,0x93,0xde,0xeb,0x84,0xb2,0xa0,0x2f,0xcd,0xba, + 0x22,0x4d,0x2f,0xd9,0xef,0xb8,0xe0,0x56,0xe7,0x96,0xf4,0x9b,0x57,0xd5,0x6e,0x9f, + 0x3e,0x90,0xd0,0xb4,0x9b,0x08,0xbd,0xee,0x93,0xa2,0xe1,0x2e,0x67,0x6f,0xb4,0xd4, + 0xfa,0x83,0x8c,0x5b,0xd8,0x8e,0xda,0x00,0x8f,0x1b,0x59,0x2a,0x72,0x46,0x55,0x87, + 0xbe,0x0a,0xe1,0x7d,0x9b,0x15,0x6b,0x90,0x4f,0x44,0xa7,0xe0,0x4d,0x3b,0x58,0xd2, + 0x4a,0xd6,0x7b,0x71,0xb0,0xf4,0xc6,0x99,0xfa,0x51,0x63,0x95,0x46,0xb6,0x2b,0x9f, + 0x83,0x59,0x7f,0xf0,0x3d,0x46,0x5f,0x1b,0xb3,0x96,0xae,0x15,0xe9,0x2d,0x0e,0x92, + 0xe8,0x56,0x47,0xd5,0xdf,0x11,0x3e,0x2c,0x75,0x18,0xd0,0xe3,0xad,0x2e,0x7a,0xa7, + 0xda,0xc7,0x20,0xc9,0x83,0x47,0xaa,0x15,0x1e,0x4f,0x37,0xfe,0xa0,0x81,0xdb,0xed, + 0x35,0x0c,0xc9,0xc9,0x3f,0x60,0x6b,0x38,0xf2,0x1a,0x3e,0x5d,0xe6,0xd1,0x40,0xd2), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xdf,0xfe,0x42,0xbf,0xda,0x88,0x6e,0x1a,0x73,0xfe,0x8a,0x8d,0xfc,0xf7,0x1c,0x9f, + 0xb4,0x4d,0xeb,0x05,0x45,0x88,0xa9,0xbb,0x91,0x99,0xd5,0x54,0xae,0xcc,0xe0,0x8f, + 0x2f,0xf8,0x8f,0x2a,0xa6,0xf8,0xa0,0xfb,0x67,0x5f,0xb0,0x3c,0x8e,0x68,0x5c,0x27, + 0x43,0x2c,0xa7,0xc3,0x3c,0x18,0x9b,0xfd,0x84,0x9d,0x34,0xfa,0x7b,0x29,0x79,0xac, + 0x1f,0x57,0xec,0xa3,0x89,0x63,0x24,0x26,0xba,0xe0,0xb9,0x83,0x98,0xad,0x60,0xa3, + 0x34,0x25,0x57,0xe1,0x4e,0x96,0x04,0x1c,0x1b,0xf4,0xd9,0x0b,0x46,0xcf,0x7a,0xd1, + 0x34,0x83,0x22,0xd2,0x8c,0xaf,0x43,0xc4,0xf7,0xe8,0x6c,0x09,0x24,0xae,0x70,0x3c, + 0x10,0x9e,0xc5,0x0a,0x84,0xea,0x2a,0x43,0xdf,0x07,0x8c,0x30,0x15,0xa5,0x2b,0x28), + .s = chunk_from_chars( + 0x8f,0x4d,0xd4,0x79,0x23,0x9f,0x2d,0x08,0xdc,0x05,0xd7,0xd4,0x05,0x39,0x28,0x8b, + 0x67,0xc4,0xd7,0x72,0x10,0xec,0xb1,0x6b,0xe7,0x6f,0x0b,0x19,0x25,0xe8,0xb0,0x88, + 0x57,0x08,0x31,0xe3,0x61,0xa1,0xca,0x57,0x89,0x31,0x35,0xf8,0xaf,0x64,0xb8,0xe2, + 0x99,0x6b,0x8d,0x63,0x58,0x99,0xda,0x4e,0x04,0xc6,0x8a,0xcb,0x9b,0x1b,0x38,0x13, + 0x69,0x7d,0x57,0xda,0x90,0xc5,0x7f,0x18,0x50,0x9e,0x0a,0xb6,0x70,0x5c,0x70,0x4f, + 0xeb,0x44,0x8c,0xca,0x5c,0x07,0xd2,0x58,0xec,0xd8,0x84,0xab,0x93,0xf5,0x08,0xce, + 0xfd,0xb2,0x5f,0x2b,0xc3,0x06,0x1c,0x40,0x06,0x09,0x9e,0x2e,0x33,0xb2,0x79,0x72, + 0xc3,0xed,0xb0,0xa0,0xa3,0x31,0x14,0xd3,0x81,0xc8,0x2a,0xb5,0x06,0xd0,0x41,0xff, + 0x68,0x0a,0xf5,0x95,0xef,0x34,0x00,0xa8,0xbb,0x67,0x74,0x03,0x0d,0x2e,0x38,0xdd, + 0x30,0x42,0x72,0x09,0x2b,0xd3,0x2a,0x55,0x30,0x17,0xf7,0xbd,0xa4,0xb9,0x98,0xb2, + 0x7a,0xa8,0xac,0xa1,0x2d,0xef,0x32,0x7b,0x1f,0x11,0x06,0x3a,0x53,0x42,0xb0,0xd5, + 0x57,0x38,0x18,0x34,0x17,0xd3,0x21,0xc5,0x68,0x2f,0xc4,0xab,0x64,0xe7,0x91,0x74, + 0x21,0x6f,0xee,0xbb,0x98,0x95,0x21,0xe1,0xe3,0xd8,0x27,0x64,0x70,0x68,0x00,0x3b, + 0xe3,0x4f,0xe1,0xd0,0x93,0x96,0x4d,0x28,0xf4,0x87,0x7c,0x49,0xb4,0x06,0x56,0x72, + 0x44,0x85,0x97,0xa8,0x9b,0x91,0x91,0x9c,0xfb,0x55,0xca,0x13,0x83,0x6e,0x7e,0x6f, + 0x3b,0x3f,0xd0,0x4f,0x41,0x7c,0xf1,0xc1,0x6d,0x98,0x72,0x53,0x8b,0xf4,0xe8,0x7a), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xcf,0xe9,0x97,0x88,0xf5,0x5e,0xc6,0x94,0x49,0x42,0xbd,0x0a,0x18,0x7d,0x51,0xb8, + 0x0f,0xd8,0xbd,0x40,0x51,0xbd,0x4f,0x07,0xc7,0x3e,0x61,0x4e,0xb7,0x5a,0x8b,0x9f, + 0x99,0x7b,0x17,0x6b,0x26,0x42,0xb5,0xf1,0xb1,0x87,0x70,0x61,0xba,0x9c,0xe1,0x42, + 0xc1,0xd2,0xa3,0x11,0x58,0x3f,0x07,0x2b,0x7c,0xbe,0x08,0xed,0x25,0x36,0x81,0x19, + 0x1c,0x20,0x9d,0x7b,0x0d,0x43,0x8f,0xcd,0xdd,0xc2,0x84,0xd9,0x3d,0x59,0xd6,0xdd, + 0x80,0xe4,0x83,0x33,0xa9,0x21,0xdd,0x31,0xc9,0xb6,0x83,0x4f,0x88,0x76,0x8f,0x87, + 0x01,0xe0,0x11,0x02,0xd3,0xe8,0xbd,0xf0,0x74,0xfb,0xe0,0xb8,0xc9,0x3d,0x99,0x51, + 0xf4,0x15,0x45,0xef,0x6e,0xeb,0x3b,0xe3,0x55,0x30,0xba,0xbc,0x07,0x9f,0x1f,0xb3), + .s = chunk_from_chars( + 0x9f,0xd6,0xf6,0x10,0x7e,0x83,0x81,0x07,0xf9,0x06,0xc2,0x6c,0xb2,0x91,0x07,0x04, + 0x59,0x9f,0x17,0x5b,0x6a,0x84,0xdb,0x48,0x5f,0xbc,0x30,0x77,0x6e,0xb7,0xfd,0x53, + 0xbf,0xe2,0x0c,0x38,0xc5,0x37,0xb1,0x54,0xa3,0xe5,0x19,0xb6,0x62,0xbd,0x9f,0xdc, + 0x8e,0x30,0x45,0xe2,0x1f,0x6e,0x5a,0xe9,0x7d,0x0f,0xf6,0xa9,0xd8,0x63,0x28,0x25, + 0x54,0x45,0x25,0xd8,0x4f,0x99,0xf8,0x0e,0x3e,0xd4,0xe6,0x9d,0xc5,0xe2,0x19,0xd5, + 0x9c,0xcf,0xbb,0x37,0xc2,0x3c,0x84,0xfe,0x3b,0x3e,0x6f,0xb2,0x2f,0x40,0x2f,0x94, + 0xe5,0x22,0x5c,0x63,0x87,0xfd,0xf8,0xbc,0xdb,0x35,0x08,0xf8,0x83,0x29,0x08,0xfe, + 0x05,0x77,0x15,0x21,0xe9,0x22,0x34,0x34,0x80,0x04,0xe8,0xfe,0x19,0xa8,0xf2,0x4b, + 0xeb,0xca,0xb9,0xf0,0x74,0x32,0x7c,0x88,0xd0,0x66,0xbc,0x12,0x08,0x17,0x48,0xd6, + 0x96,0xbe,0x61,0x35,0xc6,0xae,0xa3,0x22,0x20,0xea,0x78,0x6e,0xbd,0x78,0x00,0xe6, + 0x93,0x63,0x65,0xff,0x25,0x83,0x1c,0x28,0xcb,0x6c,0x8a,0x59,0x23,0x7f,0xf8,0x4f, + 0x5c,0xf8,0x90,0x36,0xcf,0xf1,0x88,0xee,0x0f,0x9a,0x61,0x95,0xf2,0xb1,0xac,0xa2, + 0xe4,0x44,0x2a,0xf8,0x36,0x9f,0x1b,0x49,0x32,0x2f,0xa2,0xf8,0x91,0xb8,0x3a,0x14, + 0xa9,0x7b,0x60,0xc6,0xae,0xaf,0xd6,0xc2,0x92,0x80,0x47,0xaf,0xfd,0xa9,0xc8,0xd8, + 0x69,0xff,0x52,0x94,0xbb,0x59,0x43,0xad,0x14,0xa6,0xd6,0x4e,0x78,0x4d,0x12,0x6c, + 0x46,0x9d,0x51,0xe2,0x92,0xb9,0xce,0x33,0xe1,0xd8,0x37,0x1b,0xa5,0xf4,0x67,0xb3), + }, + }, +}, +}; + +START_TEST(test_verify_pkcs15) +{ + signature_scheme_t scheme = pkcs15_verify[_i].scheme; + public_key_t *pubkey; + bool result; + int i; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + for (i = 0; i < countof(pkcs15_verify[_i].tests); i++) + { + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pkcs15_verify[_i].n, + BUILD_RSA_PUB_EXP, pkcs15_verify[_i].tests[i].e, + BUILD_END); + ck_assert(pubkey != NULL); + result = pubkey->verify(pubkey, scheme, NULL, + pkcs15_verify[_i].tests[i].m, + pkcs15_verify[_i].tests[i].s); + fail_unless(result == pkcs15_verify[_i].tests[i].exp, + "verify %N [%d]", signature_scheme_names, scheme, i); + pubkey->destroy(pubkey); + } +} +END_TEST + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + rsa_pss_params_t params; + chunk_t n; + struct { + bool exp; + chunk_t e; + chunk_t m; + chunk_t s; + } tests[6]; +} pss_verify[] = { +{ + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 32, }, + .n = chunk_from_chars( + 0xa4,0x7d,0x04,0xe7,0xca,0xcd,0xba,0x4e,0xa2,0x6e,0xca,0x8a,0x4c,0x6e,0x14,0x56, + 0x3c,0x2c,0xe0,0x3b,0x62,0x3b,0x76,0x8c,0x0d,0x49,0x86,0x8a,0x57,0x12,0x13,0x01, + 0xdb,0xf7,0x83,0xd8,0x2f,0x4c,0x05,0x5e,0x73,0x96,0x0e,0x70,0x55,0x01,0x87,0xd0, + 0xaf,0x62,0xac,0x34,0x96,0xf0,0xa3,0xd9,0x10,0x3c,0x2e,0xb7,0x91,0x9a,0x72,0x75, + 0x2f,0xa7,0xce,0x8c,0x68,0x8d,0x81,0xe3,0xae,0xe9,0x94,0x68,0x88,0x7a,0x15,0x28, + 0x8a,0xfb,0xb7,0xac,0xb8,0x45,0xb7,0xc5,0x22,0xb5,0xc6,0x4e,0x67,0x8f,0xcd,0x3d, + 0x22,0xfe,0xb8,0x4b,0x44,0x27,0x27,0x00,0xbe,0x52,0x7d,0x2b,0x20,0x25,0xa3,0xf8, + 0x3c,0x23,0x83,0xbf,0x6a,0x39,0xcf,0x5b,0x4e,0x48,0xb3,0xcf,0x2f,0x56,0xee,0xf0, + 0xdf,0xff,0x18,0x55,0x5e,0x31,0x03,0x7b,0x91,0x52,0x48,0x69,0x48,0x76,0xf3,0x04, + 0x78,0x14,0x41,0x51,0x64,0xf2,0xc6,0x60,0x88,0x1e,0x69,0x4b,0x58,0xc2,0x80,0x38, + 0xa0,0x32,0xad,0x25,0x63,0x4a,0xad,0x7b,0x39,0x17,0x1d,0xee,0x36,0x8e,0x3d,0x59, + 0xbf,0xb7,0x29,0x9e,0x46,0x01,0xd4,0x58,0x7e,0x68,0xca,0xaf,0x8d,0xb4,0x57,0xb7, + 0x5a,0xf4,0x2f,0xc0,0xcf,0x1a,0xe7,0xca,0xce,0xd2,0x86,0xd7,0x7f,0xac,0x6c,0xed, + 0xb0,0x3a,0xd9,0x4f,0x14,0x33,0xd2,0xc9,0x4d,0x08,0xe6,0x0b,0xc1,0xfd,0xef,0x05, + 0x43,0xcd,0x29,0x51,0xe7,0x65,0xb3,0x82,0x30,0xfd,0xd1,0x8d,0xe5,0xd2,0xca,0x62, + 0x7d,0xdc,0x03,0x2f,0xe0,0x5b,0xbd,0x2f,0xf2,0x1e,0x2d,0xb1,0xc2,0xf9,0x4d,0x8b), + .tests = { + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0x75,0x18,0xc8,0x5b,0x67,0xe7,0xae,0xf7,0xf2,0x6b,0xf0,0x06,0x89,0x9f,0xae,0xf7, + 0x6e,0x07,0x6f,0x0c,0x6c,0x94,0x6e,0x5d,0xc9,0xc8,0x35,0x21,0x77,0x1a,0x6d,0x29, + 0x8a,0x9c,0xf5,0xad,0xef,0xdb,0x31,0x4b,0x5a,0x07,0xa5,0x4d,0x80,0x54,0xc2,0x2b, + 0x87,0x9f,0xff,0x50,0xba,0x55,0x2c,0x21,0x82,0x91,0x03,0x3c,0x91,0x84,0x01,0xfd, + 0x61,0x1a,0x74,0x47,0xdd,0xda,0xd4,0x81,0x5e,0x0f,0x56,0xde,0xd8,0x25,0xbf,0xe2, + 0x56,0x55,0x76,0x22,0xa3,0x85,0xde,0x4b,0x4a,0x69,0xe2,0x65,0xc1,0xef,0xd2,0x59, + 0xe2,0xda,0x6d,0xb1,0x9a,0xac,0x3f,0xa0,0xe5,0xca,0x2d,0x42,0xfa,0xdb,0x4e,0x24, + 0xc2,0x71,0xfc,0x07,0x8f,0xeb,0x2b,0xe1,0x0b,0x9a,0xfa,0x25,0x6f,0x22,0x88,0x44), + .s = chunk_from_chars( + 0x99,0x2d,0x48,0xb2,0x1b,0xb3,0xd2,0x21,0x9b,0x44,0xe8,0xfc,0xc8,0x63,0x3c,0xf3, + 0xae,0xb5,0x91,0xde,0x90,0xf4,0x38,0x64,0x96,0xac,0x7e,0xcd,0x28,0x4c,0xb6,0x3d, + 0x7d,0xff,0x81,0xa5,0x0b,0x8c,0x4f,0xed,0x9f,0x2e,0xf7,0x37,0x69,0x2e,0xa6,0xbe, + 0x05,0x24,0x8c,0xa1,0x38,0x94,0x7b,0x49,0xb4,0xe7,0xf3,0xcc,0xe6,0x64,0x0e,0x04, + 0x9a,0xc2,0x15,0x4c,0x40,0xf5,0x7e,0x22,0xfa,0x14,0xf9,0x7e,0x7a,0x95,0x07,0xe1, + 0xdc,0x98,0xb2,0x06,0xce,0x6e,0xa0,0xe1,0x80,0x03,0x91,0x99,0xd1,0xbe,0x0a,0x15, + 0xd1,0xf5,0x09,0x3a,0x45,0x9e,0x51,0x01,0xaa,0xca,0x2a,0x23,0xcb,0x1f,0x59,0xca, + 0xd2,0xf1,0xfb,0x99,0xdc,0x95,0x6b,0x9d,0x43,0x44,0xba,0xd2,0xc1,0x12,0x1d,0x63, + 0xb9,0x15,0x00,0x4a,0xcb,0xfc,0x7a,0xc6,0x0a,0xc9,0xa7,0xb0,0xb1,0xc6,0x81,0x2b, + 0x30,0xbf,0xe0,0x87,0xf7,0xf0,0xc7,0xd1,0x62,0x5f,0x9c,0x4f,0x45,0x85,0x15,0xe1, + 0x14,0x78,0xe3,0x60,0x4a,0xa3,0x9d,0x14,0xd0,0x8b,0xea,0x30,0xb0,0x1f,0xcd,0x61, + 0x89,0xe6,0xf9,0xb7,0x01,0xd3,0x60,0xe4,0x71,0x4d,0x45,0x55,0x6b,0x29,0x81,0x5c, + 0x8d,0x8f,0xa8,0xe4,0x6e,0x10,0x74,0x9b,0xa5,0xe8,0xd4,0x45,0xa4,0xc0,0xf4,0x87, + 0xe7,0x0a,0xb5,0x89,0x0b,0x7c,0xcc,0x16,0x51,0x28,0x2a,0x54,0xe8,0x7e,0x7d,0xb4, + 0xbb,0x2f,0x7d,0x4a,0x67,0x1e,0x71,0xc4,0x3c,0x55,0xcf,0x64,0x86,0x41,0x6f,0x17, + 0x1d,0x19,0x55,0x03,0x74,0x74,0xd0,0x6a,0x71,0xdd,0x07,0x87,0x67,0x84,0x8e,0x5d), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xe0,0x02,0x37,0x7a,0xff,0xb0,0x4f,0x0f,0xe4,0x59,0x8d,0xe9,0xd9,0x2d,0x31,0xd6, + 0xc7,0x86,0x04,0x0d,0x57,0x76,0x97,0x65,0x56,0xa2,0xcf,0xc5,0x5e,0x54,0xa1,0xdc, + 0xb3,0xcb,0x1b,0x12,0x6b,0xd6,0xa4,0xbe,0xd2,0xa1,0x84,0x99,0x0c,0xce,0xa7,0x73, + 0xfc,0xc7,0x9d,0x24,0x65,0x53,0xe6,0xc6,0x4f,0x68,0x6d,0x21,0xad,0x41,0x52,0x67, + 0x3c,0xaf,0xec,0x22,0xae,0xb4,0x0f,0x6a,0x08,0x4e,0x8a,0x5b,0x49,0x91,0xf4,0xc6, + 0x4c,0xf8,0xa9,0x27,0xef,0xfd,0x0f,0xd7,0x75,0xe7,0x1e,0x83,0x29,0xe4,0x1f,0xdd, + 0x44,0x57,0xb3,0x91,0x11,0x73,0x18,0x7b,0x4f,0x09,0xa8,0x17,0xd7,0x9e,0xa2,0x39, + 0x7f,0xc1,0x2d,0xfe,0x3d,0x9c,0x9a,0x02,0x90,0xc8,0xea,0xd3,0x1b,0x66,0x90,0xa6), + .s = chunk_from_chars( + 0x4f,0x9b,0x42,0x5c,0x20,0x58,0x46,0x0e,0x4a,0xb2,0xf5,0xc9,0x63,0x84,0xda,0x23, + 0x27,0xfd,0x29,0x15,0x0f,0x01,0x95,0x5a,0x76,0xb4,0xef,0xe9,0x56,0xaf,0x06,0xdc, + 0x08,0x77,0x9a,0x37,0x4e,0xe4,0x60,0x7e,0xab,0x61,0xa9,0x3a,0xdc,0x56,0x08,0xf4, + 0xec,0x36,0xe4,0x7f,0x2a,0x0f,0x75,0x4e,0x8f,0xf8,0x39,0xa8,0xa1,0x9b,0x1d,0xb1, + 0xe8,0x84,0xea,0x4c,0xf3,0x48,0xcd,0x45,0x50,0x69,0xeb,0x87,0xaf,0xd5,0x36,0x45, + 0xb4,0x4e,0x28,0xa0,0xa5,0x68,0x08,0xf5,0x03,0x1d,0xa5,0xba,0x91,0x12,0x76,0x8d, + 0xfb,0xfc,0xa4,0x4e,0xbe,0x63,0xa0,0xc0,0x57,0x2b,0x73,0x1d,0x66,0x12,0x2f,0xb7, + 0x16,0x09,0xbe,0x14,0x80,0xfa,0xa4,0xe4,0xf7,0x5e,0x43,0x95,0x51,0x59,0xd7,0x0f, + 0x08,0x1e,0x2a,0x32,0xfb,0xb1,0x9a,0x48,0xb9,0xf1,0x62,0xcf,0x6b,0x2f,0xb4,0x45, + 0xd2,0xd6,0x99,0x4b,0xc5,0x89,0x10,0xa2,0x6b,0x59,0x43,0x47,0x78,0x03,0xcd,0xaa, + 0xa1,0xbd,0x74,0xb0,0xda,0x0a,0x5d,0x05,0x3d,0x8b,0x1d,0xc5,0x93,0x09,0x1d,0xb5, + 0x38,0x83,0x83,0xc2,0x60,0x79,0xf3,0x44,0xe2,0xae,0xa6,0x00,0xd0,0xe3,0x24,0x16, + 0x4b,0x45,0x0f,0x7b,0x9b,0x46,0x51,0x11,0xb7,0x26,0x5f,0x3b,0x1b,0x06,0x30,0x89, + 0xae,0x7e,0x26,0x23,0xfc,0x0f,0xda,0x80,0x52,0xcf,0x4b,0xf3,0x37,0x91,0x02,0xfb, + 0xf7,0x1d,0x7c,0x98,0xe8,0x25,0x86,0x64,0xce,0xed,0x63,0x7d,0x20,0xf9,0x5f,0xf0, + 0x11,0x18,0x81,0xe6,0x50,0xce,0x61,0xf2,0x51,0xd9,0xc3,0xa6,0x29,0xef,0x22,0x2d), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xa3,0xbf,0x44,0xca,0xe8,0xaa,0x83,0x47,0xfd,0x07,0xd8,0x4a,0x33,0xee,0xc5,0xdb, + 0xbd,0xd7,0xb6,0x43,0x13,0x68,0x88,0x7c,0x98,0x8c,0x4b,0xe7,0x79,0xc5,0x47,0x3d, + 0xd8,0xc3,0x3e,0xc8,0x2a,0x35,0xf1,0xd3,0xdd,0xdf,0xe5,0x5f,0x3e,0xed,0x67,0x17, + 0x9b,0x87,0xce,0x86,0xa4,0xa5,0x00,0x88,0x17,0x25,0x38,0xfe,0x9d,0x1b,0x06,0xc6, + 0xef,0x68,0x97,0xeb,0x3c,0x8e,0x36,0x18,0xcf,0xc2,0x13,0x53,0xed,0x43,0x43,0xe7, + 0xfc,0xeb,0x09,0xa2,0xeb,0x03,0x54,0x41,0xcd,0x5c,0x88,0x29,0xc7,0x9b,0x81,0x58, + 0x2d,0xd5,0xd6,0x9a,0xe8,0x5c,0x5a,0x00,0x1b,0xd8,0xe9,0x8e,0x06,0x99,0x61,0x34, + 0x2a,0x2b,0xee,0x00,0xad,0x2b,0x8b,0x91,0x01,0x5a,0xc5,0xcf,0xc1,0xf0,0xc2,0xd9), + .s = chunk_from_chars( + 0x87,0x7f,0x20,0xee,0xd6,0x0f,0x8c,0xe2,0x86,0x10,0x8a,0x5d,0xde,0x9b,0x68,0x28, + 0xb3,0x7e,0x3f,0xbd,0xb0,0x8f,0xe1,0x53,0xe5,0x91,0x51,0x38,0x97,0x44,0x0f,0x21, + 0xf8,0x12,0x14,0x59,0x8f,0xba,0x08,0xea,0x07,0x73,0x94,0xba,0x8c,0x2a,0x44,0xaa, + 0x4f,0x0d,0x8f,0x3a,0x5f,0xba,0xec,0x3d,0xc6,0x9b,0x3b,0xdd,0xfb,0xe2,0x83,0x97, + 0xc9,0x0a,0xdf,0x35,0xd0,0x8e,0xa7,0x71,0xc7,0xaa,0xa3,0x1e,0xb0,0x64,0x13,0xc1, + 0xc6,0x2b,0x77,0x61,0x8a,0xf9,0x40,0xf4,0xc7,0x18,0x59,0xfa,0x43,0x84,0xd2,0x9b, + 0x48,0xe5,0xcf,0xc9,0x41,0xd6,0x9b,0xf0,0xa3,0x80,0x4d,0x20,0x08,0xe7,0x58,0x74, + 0x2b,0x8e,0xd6,0x87,0x54,0xbc,0x71,0xd2,0x31,0x62,0x3d,0x18,0x13,0x47,0xc3,0x68, + 0x33,0xa7,0xd7,0x16,0x0f,0x74,0x2a,0x37,0xce,0x7d,0x43,0x2d,0x74,0x8e,0x51,0x4a, + 0xa7,0xd8,0x15,0x6b,0x50,0xc5,0x32,0x15,0x13,0x90,0xd0,0x86,0xcd,0xcf,0x9d,0x59, + 0xf1,0x22,0xc6,0xd9,0x7f,0x4c,0xcb,0x73,0x72,0x89,0xf7,0xb0,0x0a,0x23,0x7c,0xb6, + 0xb4,0xaa,0xe6,0xba,0x79,0xd4,0x1f,0xf7,0x3d,0x01,0x9a,0x26,0xb5,0x9a,0xde,0x04, + 0xc9,0x67,0x35,0x6e,0x2a,0xad,0x52,0xf1,0x15,0x35,0x7f,0xfb,0x76,0x76,0xf1,0x90, + 0xdb,0x38,0xdc,0xfc,0x98,0x66,0x6e,0x5b,0x25,0x85,0x59,0xc8,0xc8,0x5f,0xa3,0x29, + 0x42,0xcb,0xcb,0x99,0xd7,0x57,0xe8,0x84,0x7e,0x56,0xa1,0x68,0x7b,0x33,0x02,0x41, + 0x56,0x98,0x70,0x81,0x91,0xb1,0x36,0xd9,0x23,0x34,0x9b,0x02,0xfe,0x38,0xb6,0xbe), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xe1,0xc4,0x6c,0x30,0x9b,0x63,0x66,0xfb,0x4d,0x56,0xac,0x08,0xc9,0x39,0x3c,0xee, + 0x9a,0x7c,0x95,0xbb,0xe7,0xb7,0xc0,0xe7,0x9a,0x3d,0x91,0x87,0xc0,0xf4,0x2b,0xc3, + 0x33,0x64,0xc2,0x8a,0x77,0x0d,0xa5,0x85,0xe3,0xfe,0x7b,0x49,0x01,0xa3,0xcc,0xd0, + 0x37,0xdf,0xc4,0x2a,0xa6,0x5a,0x34,0x70,0x52,0x1d,0xda,0xfa,0x83,0x5c,0xe2,0xd1, + 0x6c,0x92,0xac,0x67,0x0b,0xd4,0xd0,0x86,0x50,0x5e,0x60,0x87,0x81,0x73,0x6d,0xc4, + 0xdd,0x64,0xcc,0x50,0x80,0xee,0x19,0xe5,0x86,0xc8,0xfd,0x1d,0x73,0x7d,0xad,0xe5, + 0xd3,0x78,0xb3,0x2f,0x1d,0x5d,0xf1,0xe8,0xdd,0xa0,0xe3,0x2a,0x12,0x50,0x24,0xb2, + 0xd5,0x33,0x34,0x94,0x3c,0x18,0x78,0x2d,0x7e,0x69,0x82,0x5a,0x58,0x00,0x93,0xe7), + .s = chunk_from_chars( + 0x8e,0xd1,0xf2,0x8f,0xd1,0x6d,0x45,0xd4,0x16,0xa2,0x15,0x54,0xe1,0x04,0xc0,0x06, + 0xfd,0x78,0x68,0xe5,0x89,0x5e,0x8b,0x99,0x83,0x1a,0xe0,0x93,0x81,0x35,0xb5,0x43, + 0x61,0x0d,0xf6,0x4a,0x8c,0x35,0x74,0xd0,0x81,0x18,0xbf,0xe3,0x96,0xf9,0xa5,0x60, + 0x9a,0x8d,0xbd,0xa2,0x1b,0x9a,0x85,0x30,0xff,0x0b,0xa9,0x0e,0x62,0x9d,0x6a,0xbe, + 0x30,0xd2,0xc1,0xb5,0x90,0x60,0x0d,0xb9,0x71,0xfc,0xda,0x80,0xe6,0xea,0xa8,0x40, + 0x17,0xe2,0x09,0xb9,0xbd,0x3b,0x64,0x1f,0x3c,0x81,0xd5,0xd2,0x7f,0x84,0x2b,0xec, + 0x80,0x19,0x79,0x0e,0xd9,0x9a,0x0e,0x5d,0xb4,0xae,0xdc,0x1c,0x07,0x0b,0x04,0x7c, + 0x19,0x41,0x0c,0xbc,0x56,0xe9,0xa0,0xff,0x12,0xd8,0xf6,0xe5,0xd7,0x37,0x1b,0x10, + 0x11,0xec,0xfe,0xcf,0x7b,0xe7,0xa7,0x4f,0x94,0x40,0x35,0x90,0xa5,0x2f,0x95,0x23, + 0x8d,0xd6,0x9e,0x0b,0x5f,0x4c,0x1f,0xcd,0xe9,0x7e,0xcf,0xdb,0x1a,0xcc,0x38,0x03, + 0xe5,0x9a,0xd8,0xb3,0x08,0x8b,0x2b,0xc5,0x09,0xe3,0xdd,0x12,0xd4,0x0d,0x87,0x56, + 0x25,0xdc,0x83,0x62,0xc5,0x79,0x17,0x67,0x99,0xc7,0x5e,0x4f,0xad,0xcd,0xb3,0x92, + 0xc6,0x8f,0x40,0x1f,0x68,0xd8,0x54,0xe4,0x63,0x77,0xf0,0x84,0xc0,0x81,0xf9,0xd8, + 0x37,0x43,0x03,0x9f,0x69,0x34,0x72,0x2e,0x30,0xef,0x3f,0x02,0x26,0xbc,0x84,0x1d, + 0x79,0xa4,0xeb,0x68,0xc5,0xcc,0xcb,0xb6,0xae,0x0e,0x92,0x00,0x44,0x4e,0x50,0xff, + 0x0d,0x09,0x53,0x04,0x7e,0xf9,0x55,0xd2,0xd3,0x9a,0x70,0xc3,0xb8,0x37,0xc5,0xf4), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0x92,0x5d,0x59,0xf9,0x53,0xcb,0x3f,0xfb,0x6d,0x5a,0x3a,0x55,0xc0,0x79,0xcb,0x10, + 0x83,0x99,0x75,0x36,0xe3,0x3d,0x7c,0x8a,0xed,0x50,0xed,0x76,0xae,0xbc,0xde,0x45, + 0x99,0x38,0xf7,0x92,0x29,0x61,0x32,0x00,0xc7,0x0d,0xde,0x2c,0xed,0xdc,0xea,0xe0, + 0x8c,0x10,0x60,0x8a,0xab,0x9e,0x30,0xec,0x51,0x84,0x2f,0x14,0xa6,0x5e,0x5f,0x8f, + 0x55,0x34,0x71,0xda,0x34,0x97,0x88,0x19,0x27,0xec,0x40,0x0b,0x42,0x07,0xef,0x3e, + 0x2d,0xfc,0x2b,0x7f,0xcd,0x31,0x8c,0x95,0x20,0xb8,0xb2,0x2f,0x69,0xdc,0x8a,0x1a, + 0x8e,0xfa,0xce,0xb7,0xbe,0x93,0xcb,0xad,0x56,0x9e,0x67,0xdb,0x06,0x23,0x62,0x91, + 0x30,0x05,0xdc,0xff,0x90,0x20,0x18,0xed,0x22,0x93,0x7f,0xad,0x40,0x5f,0xe8,0x4e), + .s = chunk_from_chars( + 0x62,0xb0,0x7f,0x6d,0x1b,0x8f,0x13,0x65,0x1d,0x7f,0x22,0xce,0x2c,0xe0,0x10,0x61, + 0x09,0x00,0x29,0xdb,0x5a,0xf7,0xdc,0xec,0xfe,0xaf,0xef,0x20,0x62,0x1d,0xd9,0xe2, + 0x54,0xa0,0xfb,0x91,0x4f,0x76,0xa3,0xd7,0x96,0x62,0x25,0x74,0x89,0xcb,0x81,0x22, + 0x70,0x85,0x83,0xd3,0x07,0x78,0x79,0x1a,0x77,0xda,0x83,0xc7,0xbe,0xa8,0x11,0x40, + 0xc6,0x1e,0x4d,0x04,0x84,0x80,0x6e,0x20,0xfb,0x85,0xf2,0x4d,0x1b,0xbf,0x77,0x4e, + 0xf2,0xed,0x38,0x80,0x9c,0x9b,0x14,0xf2,0xa5,0x8c,0x6e,0x86,0x49,0xb7,0x60,0xba, + 0xa9,0x01,0x54,0x45,0x22,0xed,0x94,0xbd,0x40,0x5c,0x77,0x20,0x1d,0x07,0xc8,0xd1, + 0x28,0x64,0xa8,0xd1,0xe9,0x7a,0x4d,0x32,0x2c,0x29,0x99,0x4b,0x21,0x4f,0xc8,0x3c, + 0x2e,0xcd,0x5c,0x95,0x5b,0x9b,0xde,0xc4,0x24,0xe7,0xca,0x5a,0x13,0x25,0xec,0x0a, + 0xae,0x4a,0xb0,0xc2,0x02,0xb9,0x80,0xa2,0x18,0x7f,0x09,0x6a,0xaa,0xaa,0x5e,0x85, + 0x55,0x0e,0xbd,0x32,0x57,0x99,0xf4,0xf3,0x0e,0xf2,0xea,0xd0,0x7e,0x79,0xc7,0xa4, + 0x75,0x66,0x7f,0x59,0x65,0xe6,0xb5,0x02,0x69,0x51,0x36,0x59,0xab,0x59,0x62,0xa3, + 0x91,0xc4,0x3c,0xbc,0x3a,0x3d,0xa3,0x4c,0x0f,0xdd,0x15,0x46,0xc4,0x0e,0xa7,0xe2, + 0xeb,0x53,0x52,0xce,0x6a,0x06,0xce,0x6a,0x63,0x85,0xca,0x0d,0xdd,0x5d,0x16,0x2c, + 0x13,0x78,0x36,0xdf,0x9e,0xa1,0xf8,0x9c,0xfa,0x00,0xc3,0xeb,0x16,0x71,0xa4,0x3b, + 0xd6,0x25,0x52,0x6f,0x3b,0x6b,0xa8,0xe4,0x8a,0x7a,0x2d,0x56,0xfb,0x4f,0x01,0xc6), + }, + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0x3c,0x6c,0xd1), + .m = chunk_from_chars( + 0x08,0xd3,0xac,0x24,0xa5,0x95,0xda,0x81,0x1c,0xc9,0xbb,0xa7,0x88,0x28,0xf1,0x45, + 0x2f,0xf3,0x90,0xae,0x65,0x3f,0x22,0xd1,0xad,0x91,0xef,0x6b,0x22,0xaa,0x7b,0x7b, + 0x15,0xa4,0x4f,0xf7,0xf8,0x3e,0xfc,0xbd,0x7a,0x75,0x5e,0xcc,0xf4,0x54,0x1e,0xb4, + 0x04,0x0c,0x7a,0x4b,0x77,0x47,0x49,0xa2,0x6d,0xba,0x39,0x37,0xb7,0xf9,0x5c,0x6c, + 0x84,0x90,0xe3,0x38,0x3d,0x4f,0x29,0x1d,0xad,0xe5,0xf3,0x5a,0x65,0xb1,0xf6,0x61, + 0x5f,0xd4,0x99,0x8b,0xe1,0x8b,0xfd,0x0b,0xa4,0xbc,0x3a,0x21,0x36,0xce,0xec,0x90, + 0x9d,0xbe,0xef,0x51,0x3d,0x6f,0x66,0x89,0xfc,0x42,0x02,0xb9,0xa3,0xe7,0x81,0x34, + 0x87,0x73,0x74,0xd7,0x6a,0xb2,0x46,0xf4,0x9c,0xbe,0x7a,0x8f,0x65,0xd0,0x34,0xcd), + .s = chunk_from_chars( + 0x72,0xea,0x7d,0x66,0x9a,0xc6,0x99,0xa1,0x49,0xc1,0x3a,0xa1,0x68,0xeb,0x3e,0x14, + 0x8f,0x59,0x0b,0xbc,0x04,0x24,0x95,0x1f,0x1c,0x31,0x44,0xc5,0x41,0x91,0x55,0x73, + 0xec,0xf0,0x5c,0xab,0xb5,0x27,0x54,0x88,0xc9,0x8d,0x0e,0xbe,0x55,0xb1,0xf1,0xaf, + 0x49,0xef,0x8c,0xc7,0x2c,0xf0,0x0e,0x84,0x98,0x97,0xc6,0xaf,0xa5,0x38,0x33,0xca, + 0xf9,0xff,0xc0,0x0e,0xb8,0x4c,0xfe,0x55,0xb8,0x27,0x7e,0x93,0xa6,0xac,0x3e,0x04, + 0xb1,0x11,0xc9,0xd0,0x7a,0xd6,0x20,0x82,0xca,0x32,0x85,0x4c,0x40,0xde,0x1e,0x09, + 0x56,0xa1,0x8f,0x84,0x60,0x43,0x84,0x84,0x40,0x3a,0xbb,0x91,0xe6,0xfa,0xd1,0x2b, + 0x28,0xf1,0x14,0x15,0x7f,0x1b,0x6e,0xf5,0x63,0xd2,0xfa,0x43,0x8c,0xcb,0x8a,0x16, + 0xaa,0x3a,0xfe,0x6e,0xc5,0xe9,0x83,0x65,0xc3,0x0d,0x9a,0x35,0x5e,0x7e,0x14,0xb0, + 0x39,0xbb,0xde,0xcf,0x59,0xf9,0x12,0x48,0xd0,0xf1,0xe3,0x17,0xd2,0xe3,0xc8,0x19, + 0x09,0x6e,0xd6,0x8c,0xf9,0x83,0x61,0xd7,0xf9,0x31,0x0b,0x35,0x4f,0x4f,0x45,0xe2, + 0xf7,0xc4,0xdf,0xb8,0x2c,0x21,0x8c,0xd4,0x38,0xf3,0x17,0x4a,0x6f,0x01,0x7f,0x0f, + 0x14,0x8a,0x71,0xc4,0x0a,0xd5,0xb7,0xe2,0xc8,0x08,0x1d,0xdb,0xae,0xaa,0x76,0x4d, + 0x60,0x1b,0xb2,0xe0,0x75,0xeb,0x36,0x18,0xaa,0xba,0xa4,0xb5,0x06,0x00,0x22,0xc6, + 0xd2,0x3e,0xf0,0x72,0x64,0x36,0x86,0xa7,0x59,0x22,0x7d,0xae,0xf0,0x33,0x1b,0x28, + 0xee,0x76,0xda,0x4a,0xb3,0xb5,0xad,0x5d,0xda,0x89,0x91,0xb9,0x93,0x7d,0x1a,0x59), + }, + }, +},{ + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = 64, }, + .n = chunk_from_chars( + 0xa6,0x77,0x52,0x5e,0x1a,0x69,0x54,0x6a,0x96,0xdc,0x7b,0x11,0x23,0x50,0xd5,0xe4, + 0x86,0x4f,0x0f,0x82,0xe9,0x99,0xa7,0x14,0xfa,0x9f,0x43,0xac,0x68,0x15,0x17,0xd3, + 0x97,0x59,0x10,0xc2,0xd8,0x06,0xbb,0x3e,0xe6,0xdb,0xf5,0xdb,0xa1,0xd9,0x69,0xb3, + 0x88,0x89,0xe1,0x13,0xc2,0xda,0x76,0xee,0xf4,0x41,0x2a,0x60,0xcb,0xd8,0x9f,0xaf, + 0x35,0xb2,0xbd,0xcb,0x0d,0xe3,0x6a,0x2c,0xb7,0x62,0xcd,0x8f,0x2f,0x29,0xae,0xd9, + 0x98,0x2a,0x9a,0xb6,0x08,0x86,0xcc,0x8f,0xbf,0xee,0x9b,0x2a,0xe0,0x9c,0x88,0x16, + 0x1e,0x91,0x59,0xd4,0xfc,0x83,0x3a,0xdc,0x4f,0x80,0xe4,0xbf,0x62,0x9d,0x5a,0x95, + 0x51,0xac,0xce,0x7a,0x39,0x38,0x63,0x0c,0x2b,0xf9,0x95,0x60,0x97,0x64,0x2e,0x3b, + 0xc6,0x0a,0xc6,0x52,0x20,0x17,0x84,0x1b,0x65,0xc7,0xa2,0x51,0x97,0x86,0x5e,0x69, + 0x77,0x53,0xb0,0x81,0x69,0x85,0x36,0x81,0x91,0x14,0x43,0xa2,0xb2,0x5f,0x1b,0x7c, + 0x46,0x96,0xf9,0x46,0x15,0x5b,0x26,0x64,0xb6,0x7b,0x40,0x87,0x8d,0x3b,0x45,0xc3, + 0xe0,0xd7,0x03,0x4d,0x5b,0x5e,0xe6,0xf5,0xba,0x8f,0xb3,0xca,0xe7,0x79,0x7e,0x85, + 0x78,0x99,0x02,0xcf,0x8f,0x9f,0x86,0xed,0x3e,0xf2,0x5a,0xe0,0x73,0x61,0x78,0xaa, + 0xe2,0x60,0xfe,0x87,0x5b,0xfe,0xf5,0xbc,0xde,0x9e,0xc0,0x5f,0x11,0xe1,0x8f,0xc7, + 0x37,0x5e,0xdc,0xd4,0xa5,0x53,0x36,0x18,0xe6,0xf9,0x91,0xdd,0x48,0xaa,0x30,0x62, + 0xe6,0x03,0x1e,0x29,0x1d,0xfc,0xdc,0x6e,0x7f,0xc1,0x4e,0xc6,0x0e,0x53,0x9f,0xcb), + .tests = { + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xea,0xc8,0x39), + .m = chunk_from_chars( + 0x9c,0x3d,0x5d,0x23,0xd2,0x74,0x6d,0x15,0xd6,0x16,0xbe,0xbf,0x3c,0xf7,0x20,0xc6, + 0xe6,0x01,0x2a,0x71,0xca,0xe2,0x20,0x02,0xf5,0x02,0x1a,0x47,0xd0,0xb8,0x63,0x6c, + 0xa3,0xbd,0x20,0x13,0x57,0xe1,0x32,0xa6,0x80,0xfc,0x5d,0xec,0x9b,0x28,0xa9,0xdb, + 0x93,0x2d,0x08,0xae,0x8b,0x3d,0x3a,0x37,0xd7,0xe2,0xee,0x75,0x4b,0x34,0x2a,0x69, + 0xb9,0x4f,0xec,0x26,0xb5,0x04,0x12,0x28,0x9b,0xcf,0x77,0xe6,0xd4,0x09,0x5f,0xaa, + 0x54,0x5f,0x15,0xa1,0x67,0x83,0xd2,0x2e,0xae,0x21,0xe1,0x84,0x64,0x15,0x01,0x74, + 0xe6,0xdb,0x0b,0x83,0x73,0x47,0xd4,0x40,0x30,0x76,0x55,0xd5,0x6f,0x04,0x09,0xdb, + 0x30,0x7f,0x97,0x73,0xe8,0x1c,0xb1,0x92,0x82,0xa9,0x3c,0x9c,0xa4,0xc3,0xb1,0x35), + .s = chunk_from_chars( + 0x98,0x65,0x7f,0xd8,0x16,0x39,0x67,0xfa,0x7d,0x26,0x3b,0xd4,0x5b,0xb8,0x90,0x03, + 0x5a,0xdb,0xcd,0xd1,0x64,0x5f,0xd4,0x8b,0x28,0xfe,0xbf,0xb9,0xb4,0xe1,0x51,0x72, + 0x54,0x0e,0x38,0xb7,0xc2,0xf6,0x73,0xc4,0x0a,0x20,0x5f,0xd4,0x0b,0x08,0xb6,0x0b, + 0x4b,0x81,0xed,0x6e,0x23,0x6c,0xdf,0x08,0xf0,0xd6,0xb1,0x1f,0x50,0xdc,0x74,0xc6, + 0x0d,0xc4,0x66,0xac,0x37,0x2e,0x0f,0x46,0x78,0x83,0xaa,0x9a,0x39,0x8f,0x4a,0xee, + 0xf8,0x7b,0x04,0x0e,0x14,0xa5,0x15,0x02,0xdd,0x46,0x7e,0x8e,0x8d,0xd8,0x98,0x12, + 0xdf,0xaf,0x6b,0x1d,0xc1,0xc2,0xf6,0xc2,0x84,0x48,0xaf,0x08,0x45,0x90,0xc0,0x5a, + 0xec,0x49,0x9d,0xd3,0xb1,0x48,0xe6,0x6f,0x3d,0x71,0xcf,0x75,0xe2,0x39,0xdb,0x6d, + 0x21,0xf4,0x07,0x4b,0x8b,0xd9,0xa6,0xbd,0xe5,0xca,0x66,0x86,0x34,0xbd,0x47,0x95, + 0x32,0x76,0xff,0x2d,0x0e,0xbb,0xe0,0x1a,0xfc,0xfe,0x0e,0x38,0x19,0x03,0x73,0x6d, + 0x6a,0x6c,0x67,0x2a,0x45,0xfb,0xa4,0xee,0x32,0x6e,0x34,0x2d,0xc5,0x92,0x51,0x69, + 0x51,0x7c,0x5f,0x57,0xe9,0x29,0x07,0x24,0x57,0x6a,0x22,0x5b,0xa8,0x9c,0xb4,0xdd, + 0x09,0x1f,0x4e,0x65,0x13,0xbe,0x10,0xdd,0x41,0x81,0x85,0x5b,0xb4,0x04,0x5d,0x6e, + 0xf6,0x43,0x7c,0x16,0xd3,0xb5,0x58,0x9e,0xf9,0xd6,0x83,0x66,0x82,0x71,0x1c,0x7d, + 0x66,0x02,0x5a,0xe3,0x7b,0x52,0x55,0x80,0xf0,0xdf,0xcf,0x3d,0xb7,0xfe,0x57,0xd7, + 0xc6,0xb1,0x57,0x77,0xcc,0x41,0x60,0x03,0x07,0xe5,0x8a,0x17,0x21,0xb6,0xf7,0xbc), + }, + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x77,0x59,0x42,0x0c,0x8d,0x1a,0x39,0xba,0x0e,0x3e,0x16,0x81,0xd9,0xb7,0x57,0xfc, + 0xf3,0x0c,0xb4,0x0d,0x84,0x4f,0x4a,0x71,0x22,0x4f,0xf9,0x98,0x52,0x0e,0x0b,0xb4, + 0x4c,0x76,0x16,0x11,0xff,0x47,0x23,0xa4,0x55,0x54,0x0f,0xe6,0xb8,0xef,0x32,0xe3, + 0xd5,0xa2,0x3f,0x8d,0xa0,0x20,0x6b,0x57,0x98,0x7a,0xd2,0xff,0x4c,0x96,0x16,0xab, + 0x1e,0xde,0x49,0x38,0x47,0x35,0x0d,0xcf,0x1b,0x2f,0xf9,0xb9,0x8e,0x81,0x3f,0x74, + 0xf8,0xb6,0x8c,0x06,0x15,0x24,0x30,0x91,0x50,0x1f,0x7f,0x28,0x41,0x6c,0x77,0xe1, + 0x74,0xf8,0xa3,0x2b,0x6c,0xca,0x3e,0x62,0xe7,0x37,0x9c,0xa1,0x64,0x55,0xc6,0xd8, + 0xe3,0xb2,0x65,0x1e,0xec,0x45,0xe1,0x48,0xd2,0xa4,0xc9,0xba,0x39,0x78,0x76,0x7d), + .s = chunk_from_chars( + 0x91,0xce,0x8e,0x92,0x1f,0x85,0xde,0x84,0x5b,0x9b,0xf7,0x50,0x3d,0xc6,0x5a,0x32, + 0x82,0x24,0xd1,0x5b,0x23,0xe8,0xea,0x65,0xdc,0x3d,0xa6,0xd8,0x04,0xfb,0xef,0x19, + 0x6c,0x30,0x5e,0x0f,0xba,0x05,0x9a,0x7d,0x84,0x2c,0x8c,0x0f,0x58,0x08,0x60,0xcc, + 0xe7,0x76,0x52,0xd4,0xdc,0x77,0x90,0x73,0xd6,0xa3,0xb0,0xa9,0x2b,0xf2,0xdd,0x3e, + 0xc6,0xc0,0x61,0x8d,0xa1,0x48,0x50,0x36,0xfd,0x59,0x4b,0xd9,0x62,0xf7,0xb5,0xa1, + 0xc6,0x1d,0x53,0xf1,0x62,0x69,0x12,0xc7,0xe3,0x12,0xaa,0x83,0xeb,0x43,0x26,0x28, + 0x8a,0x52,0x43,0x7c,0x73,0x87,0x91,0x6b,0xcb,0x11,0x08,0x4a,0x40,0xc2,0x19,0xc8, + 0x4c,0xab,0x2f,0xf6,0x6e,0x83,0x14,0x3f,0x85,0x86,0x47,0xf2,0xdc,0x91,0x4d,0xa0, + 0xc7,0x85,0x8b,0xa3,0x9a,0xa8,0xad,0x81,0x47,0xea,0x5c,0x9c,0x52,0x06,0x9e,0xb2, + 0xb2,0xca,0x94,0x1d,0x8a,0x50,0x23,0x74,0x8d,0xc4,0x01,0xe7,0x66,0x45,0x00,0x84, + 0x6c,0x85,0xca,0xdf,0x02,0x87,0xe3,0x9b,0x8b,0x8b,0x46,0x79,0x4a,0x82,0xbf,0xff, + 0xa7,0x52,0x96,0x0a,0xb3,0xb9,0xea,0xa0,0x25,0x30,0xb5,0x90,0x3c,0x24,0xae,0xfa, + 0x10,0x8f,0x10,0xae,0xe3,0x5b,0x6a,0x8a,0x3c,0xdf,0x87,0x95,0xa1,0x82,0xe5,0xc0, + 0x4e,0xd3,0x6b,0xb6,0x8c,0x18,0x78,0x56,0x23,0xb4,0x2f,0x09,0x79,0xff,0xf3,0x19, + 0x11,0x2e,0x15,0x14,0xce,0xe5,0x1d,0xb4,0x37,0xee,0x32,0x28,0x9f,0x61,0xde,0xd6, + 0x11,0x86,0xc6,0xed,0x44,0xad,0x72,0x2d,0x18,0xd5,0x56,0x82,0x1f,0x88,0x82,0x21), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x86,0x4f,0x4f,0x58,0x90,0xa0,0x36,0x53,0xd0,0x8d,0xaa,0x83,0xd9,0xe2,0x99,0x2f, + 0xab,0x33,0x93,0xb7,0xee,0x15,0x2d,0x6f,0x7b,0x8e,0xa3,0xad,0x1e,0xc9,0xc1,0x21, + 0x9a,0x0e,0x03,0x65,0xee,0xf2,0xfb,0xd5,0xd7,0xcb,0xf3,0xa1,0x96,0x67,0xd4,0x21, + 0xf3,0xfe,0x46,0x68,0x82,0x64,0x19,0x1b,0x25,0x83,0xe4,0x84,0xd2,0x09,0xeb,0xe2, + 0x97,0x5e,0x46,0x03,0xdb,0xd9,0x40,0x15,0xe6,0x33,0xfe,0xba,0xa4,0x3c,0x61,0x5a, + 0xa5,0xcc,0x2c,0xbd,0x69,0xfd,0x6a,0xd9,0xdb,0x97,0x0a,0xe8,0x1b,0xcc,0xcd,0xbe, + 0x80,0x26,0x62,0x5a,0xde,0xbd,0xcf,0xbb,0x04,0xad,0x12,0xf5,0x89,0xc7,0x08,0x83, + 0xc9,0x87,0x8f,0xdf,0x2a,0x46,0xe7,0x50,0xa4,0xb1,0x5f,0x03,0x80,0x7a,0x2d,0x5e), + .s = chunk_from_chars( + 0x24,0x5f,0xda,0x2e,0x66,0xd2,0xba,0xb1,0x02,0xd0,0xda,0x40,0x98,0xd7,0x51,0x65, + 0x0f,0x5e,0xf4,0x73,0x8d,0x14,0xda,0xbe,0x86,0x6c,0x78,0x20,0x09,0xea,0xd9,0xd6, + 0xd0,0x5d,0x43,0xac,0x0a,0x30,0x14,0xa3,0x82,0xd6,0x2a,0xc9,0x71,0xee,0x19,0x79, + 0x8f,0x3b,0x8e,0xf4,0x9f,0x9b,0xc2,0x47,0xfa,0x07,0xb3,0x68,0xac,0x2d,0x0e,0x8a, + 0x4f,0xb2,0x10,0xaf,0x5a,0xcd,0x87,0xb6,0xb5,0x12,0xe1,0x35,0x86,0x1b,0x30,0x10, + 0x34,0x03,0x30,0x47,0x32,0xa1,0x0b,0x75,0xc9,0xa1,0x49,0x55,0x2d,0x1c,0xcf,0x0f, + 0x99,0x12,0x96,0x8c,0x64,0x31,0x39,0x8b,0x7d,0x48,0xdf,0xf4,0x8c,0xc7,0xcb,0x71, + 0x84,0xe7,0x6a,0x0a,0xb9,0x4a,0xc9,0xa6,0xb0,0x03,0x5b,0x91,0xb3,0xee,0xb2,0xd1, + 0x32,0x6e,0xbd,0xdf,0xc1,0x32,0x50,0x22,0x45,0x38,0xc1,0x43,0xfc,0x0d,0xfa,0x39, + 0x95,0x92,0x64,0x15,0xa6,0x58,0xdb,0x8e,0x66,0x91,0x50,0x40,0x50,0xa1,0xa3,0x0e, + 0x34,0xb2,0x1a,0xf8,0xd1,0x27,0x07,0xbc,0x44,0x54,0xf1,0x74,0x38,0x5c,0xd8,0x4c, + 0x72,0x9e,0x2d,0xdf,0xc5,0xcc,0x91,0x78,0x81,0x20,0x59,0xb5,0xda,0x4a,0x1a,0x60, + 0x5a,0x2a,0x81,0x64,0x2c,0xcc,0x1b,0xc5,0xcf,0x95,0x39,0x65,0xf7,0x05,0x67,0x3b, + 0x12,0xc5,0xb4,0x6a,0xc8,0xc1,0xa0,0x3c,0x10,0x01,0xae,0x4d,0xf1,0xc3,0x9c,0xc8, + 0x3c,0xb5,0x4b,0x10,0xcb,0x7d,0x33,0xcd,0x51,0x08,0x03,0x3c,0x26,0x8c,0xee,0xeb, + 0xba,0x6c,0x6a,0xda,0x92,0x88,0x2f,0x46,0x56,0x2d,0xc6,0x58,0xd3,0x52,0x55,0x74), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x71,0xab,0xf8,0x95,0xe5,0x6b,0xa8,0xf6,0xae,0x8d,0x0e,0x9e,0x66,0x90,0xc0,0x9c, + 0x75,0x92,0x70,0xa7,0x3d,0xb8,0xc1,0xaa,0x95,0xd0,0x59,0x80,0x79,0x35,0x37,0xfb, + 0xff,0xf3,0x47,0x2c,0x8d,0x2c,0x34,0xde,0x4a,0xbb,0x7e,0x64,0xd2,0x16,0xcc,0x95, + 0x2e,0x79,0x83,0x14,0x03,0x41,0x97,0xd5,0x09,0x96,0xa2,0xdc,0xbf,0x4c,0x33,0x48, + 0x5e,0x0b,0x68,0x91,0x0b,0xae,0xbf,0x0e,0x50,0xea,0x29,0xba,0xcd,0x30,0x60,0x37, + 0x2b,0xd4,0x7b,0x13,0x52,0x6e,0xc0,0x4b,0xdc,0x81,0xb9,0x0d,0xc9,0x5a,0x8a,0xc2, + 0x74,0x3b,0x81,0x4c,0xc5,0xb9,0xef,0x8c,0xa9,0x63,0x36,0x28,0xbf,0xa4,0x24,0x8b, + 0x55,0xeb,0x7f,0x2d,0x92,0x08,0xe1,0x14,0xf4,0xda,0xc6,0x9b,0xfe,0x27,0xe4,0x72), + .s = chunk_from_chars( + 0x24,0x3c,0x57,0x0c,0xd1,0xbd,0x85,0x52,0x2e,0x64,0x81,0x73,0x61,0xcb,0xb9,0x49, + 0xc8,0x38,0x76,0xd7,0xa3,0x60,0x95,0x13,0xae,0xbf,0x50,0x6f,0xc0,0x67,0x50,0xba, + 0x38,0xe8,0x20,0x23,0x2c,0x98,0xac,0xbe,0x00,0xff,0xa5,0x0b,0x36,0xc5,0x38,0x56, + 0x00,0x69,0xfd,0x13,0x99,0x2c,0xa0,0xdf,0x7d,0x9f,0x6d,0x95,0x6b,0x88,0x33,0x34, + 0xf1,0xc3,0xaf,0x8a,0x74,0xad,0xee,0xd5,0xbe,0x15,0xb0,0x33,0xd8,0x5b,0x20,0x7b, + 0xe2,0xfe,0x60,0x0a,0x99,0x02,0xd6,0x99,0xcc,0xef,0x1f,0x4a,0x8d,0x58,0x86,0x72, + 0xc4,0x46,0x40,0x1e,0xb3,0x90,0xd1,0x74,0xd5,0x72,0xb9,0x18,0xf9,0xb3,0x49,0xe2, + 0xe7,0x04,0x77,0x53,0x00,0x02,0x38,0x50,0xa5,0x34,0xcd,0x14,0xe0,0x04,0x6e,0x38, + 0x51,0x81,0xd3,0x45,0xa0,0x1d,0xbd,0x23,0x0c,0x79,0x65,0xff,0xfd,0x71,0xd4,0xe9, + 0xf9,0xbd,0x27,0x4d,0x2e,0xf4,0x6c,0x55,0x6c,0x73,0x32,0x12,0x13,0x62,0xe7,0x17, + 0x06,0xc3,0x9f,0x08,0x91,0x9e,0xfa,0x3a,0x4f,0x2f,0x14,0x21,0x50,0xc8,0xce,0xf4, + 0xb3,0x0e,0xf7,0x88,0xf6,0xff,0xfc,0x2e,0xd2,0xac,0xa0,0x26,0x2e,0xba,0x87,0x3a, + 0x25,0x17,0x95,0x84,0x5d,0xa5,0x26,0xb7,0x8e,0x2b,0x24,0xd6,0x6f,0x21,0xd4,0x0d, + 0x5f,0xcb,0xe5,0x54,0x2a,0x75,0x53,0xa9,0x17,0x8b,0xe5,0xa9,0x80,0x5b,0xb5,0x35, + 0x79,0xbd,0x10,0x8c,0xff,0x73,0x3b,0x37,0x64,0x07,0x89,0x31,0x8d,0xb6,0x20,0xa6, + 0xa9,0x44,0x44,0xe9,0x20,0x39,0x23,0xae,0x32,0x55,0x00,0xb6,0x76,0xb1,0x47,0x98), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x4b,0x64,0x8d,0xe2,0xe3,0x90,0x67,0x7c,0xe1,0x72,0x71,0x91,0x49,0x8b,0x76,0xd2, + 0xd2,0x43,0x8d,0x0c,0xed,0xdf,0x3d,0xb5,0x02,0xad,0xe5,0xc5,0xfd,0x81,0x5b,0xc7, + 0x09,0x65,0xd4,0x2f,0x9b,0x8d,0x04,0xee,0xb3,0x89,0x86,0x44,0x5f,0xbe,0x7d,0xd5, + 0x80,0x17,0x7c,0x00,0xd0,0xf8,0xa3,0x6c,0x24,0x74,0x0b,0xe3,0xef,0xbf,0x65,0x64, + 0x08,0xe6,0xdd,0x73,0xad,0xbd,0x45,0xb4,0xc7,0x19,0x6f,0xb8,0x6f,0x40,0xda,0x17, + 0xb2,0x9e,0x91,0xbf,0x91,0xba,0x51,0x8b,0x4c,0x68,0xea,0x18,0xe1,0x3f,0xe7,0xd4, + 0xcf,0x4d,0x71,0x57,0x1f,0x0a,0x71,0xf7,0xa5,0x8b,0xf5,0x96,0x84,0xf8,0xd5,0xbf, + 0xf0,0x40,0x96,0xf2,0x38,0x0b,0x8e,0x3b,0x03,0xf1,0x49,0x09,0xd9,0xe9,0x2c,0x3e), + .s = chunk_from_chars( + 0x27,0x7f,0xe8,0x1a,0x15,0x40,0x34,0x1c,0x9c,0x04,0xfb,0x5d,0x3c,0x8f,0x70,0xc1, + 0xe7,0x2f,0x87,0xfa,0x7d,0x04,0xb9,0x3e,0xe5,0x4d,0x56,0xd1,0x18,0x4c,0x14,0x1e, + 0xc4,0xe1,0x25,0xe2,0xe5,0xcf,0xd0,0xac,0xff,0x10,0x55,0xc7,0x66,0x97,0xa1,0xc3, + 0x07,0x9c,0x37,0x1c,0xce,0x0b,0xd8,0x4e,0xe4,0x43,0x7b,0xfa,0x18,0x06,0xaa,0x76, + 0xdf,0x29,0x55,0x93,0x53,0x31,0x91,0x5f,0xff,0x87,0x9d,0x87,0xc7,0x37,0x2e,0x75, + 0xe5,0xe8,0xfe,0xcc,0x90,0x6f,0x9d,0x34,0xa5,0xad,0xc0,0xb7,0x54,0x09,0xa8,0x7f, + 0xb6,0x41,0x1e,0x29,0x90,0xcd,0x23,0x7a,0xc8,0x22,0x3f,0x72,0x23,0x44,0x4f,0x5d, + 0x52,0x7a,0x11,0x5c,0x85,0xb9,0xba,0x10,0x28,0x7f,0x3e,0x82,0x5e,0x1d,0xc5,0x8e, + 0xb3,0x7c,0x8a,0x9c,0xa0,0x55,0x15,0x5f,0xf6,0xa5,0xaa,0xa6,0x56,0x56,0x90,0xdc, + 0xee,0xf6,0xf6,0x47,0x72,0x9d,0x07,0x1c,0xdd,0x9f,0x06,0x88,0xc7,0xfe,0xe8,0xf9, + 0x29,0x3a,0xbe,0x65,0x8d,0x0e,0x1e,0xf8,0x55,0xc8,0x6a,0x28,0xd8,0xd0,0xf8,0xf8, + 0x2f,0x72,0x17,0x31,0x86,0x35,0x30,0x80,0xb8,0x4f,0x14,0x2f,0x96,0x59,0x07,0x37, + 0x71,0x78,0xfc,0x1e,0xa0,0x08,0x19,0xd8,0x1a,0xfc,0x24,0x74,0xbe,0xcf,0x79,0xe1, + 0xe3,0xb7,0x0c,0x7c,0x2a,0x84,0x07,0xd5,0x07,0x95,0xc3,0x13,0x1b,0xb6,0xdf,0x78, + 0x72,0x0c,0x31,0xb2,0xf8,0xc4,0x3f,0x70,0x54,0x64,0xd8,0x98,0x20,0x43,0xc4,0x5f, + 0x04,0xe3,0x39,0xaa,0x1c,0x6f,0x4e,0x26,0xaa,0x70,0x92,0xb3,0xe6,0x26,0x12,0x99), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x78,0x11,0xa4,0x07,0xfe,0x65,0x3a,0xd2,0x34,0x3d,0x83,0xc0,0x49,0x9f,0xc1,0x1e, + 0x29,0x51,0xef,0x0a,0x47,0x91,0xa3,0xcd,0x9a,0x06,0x39,0x6b,0xe5,0xf7,0x2e,0x78, + 0x3c,0xbb,0xca,0x2c,0xc4,0x70,0x02,0xba,0xba,0xf0,0x9c,0xde,0xb7,0x01,0x94,0xb5, + 0x32,0xcc,0xbf,0xd2,0x46,0x91,0xae,0x8e,0xb5,0x98,0xd5,0x9f,0x2e,0x6b,0xec,0xed, + 0xcb,0x42,0x96,0xa1,0xde,0xbf,0x41,0x7e,0xed,0xdb,0x4d,0x74,0xfb,0x21,0x70,0x72, + 0x09,0x1a,0x59,0x7d,0xdd,0x08,0x93,0xff,0x02,0xd6,0xad,0x61,0x10,0x50,0x98,0xdb, + 0x2e,0x90,0x50,0x8b,0xd4,0xb8,0xbe,0xc5,0xd6,0xe7,0xde,0xab,0x9e,0x65,0x1d,0xfd, + 0xb8,0x21,0x05,0x32,0x95,0x5e,0x1b,0xc7,0x88,0xa9,0x08,0xd7,0x15,0x0e,0xf8,0xec), + .s = chunk_from_chars( + 0x3a,0xd1,0xf0,0xfa,0xa9,0xa3,0x65,0x86,0x15,0x4a,0x38,0x2a,0x1f,0x2c,0x10,0xe8, + 0x19,0xdc,0x31,0x8a,0x68,0xbe,0x35,0xf5,0x4f,0x95,0x40,0x1b,0x0e,0xf2,0xba,0x5c, + 0xc8,0x95,0xf0,0xd6,0xbd,0xe2,0x8c,0x8d,0x3b,0x36,0x4f,0x60,0xde,0x03,0xce,0x75, + 0xa7,0xaf,0x29,0xe5,0x80,0x7c,0x1e,0xec,0x4c,0xd7,0x06,0x24,0x75,0x6e,0x26,0x31, + 0xeb,0x46,0xaf,0x01,0x0c,0xa8,0xcf,0x93,0xee,0x7d,0x86,0xa4,0xaf,0x3c,0xed,0x5d, + 0xd2,0xa8,0xa4,0x1c,0x1f,0xee,0xe6,0xb4,0x57,0x20,0x70,0x87,0x39,0x39,0xae,0x7a, + 0x2c,0xe7,0x51,0x93,0x94,0x59,0x37,0x46,0x1d,0x00,0x64,0xee,0xba,0x07,0x76,0x0c, + 0x49,0x5c,0x5c,0x70,0xbd,0xb0,0x4d,0x89,0x95,0x1d,0xe3,0xf9,0x65,0x25,0xf8,0xe4, + 0x46,0x12,0x49,0x3d,0x49,0x07,0x31,0xe7,0xef,0x76,0x79,0xa2,0x4b,0x0b,0x1e,0x2b, + 0x24,0xc8,0x00,0x3c,0x2f,0x94,0x11,0x4e,0x41,0x93,0xd6,0xe5,0x4c,0x0a,0xf9,0xe8, + 0x70,0x53,0x0b,0x00,0x85,0x30,0x21,0x0a,0xc0,0xb0,0xe4,0xc7,0xc7,0x9f,0x37,0x93, + 0x84,0xe1,0xbb,0x31,0x9b,0x5f,0x2a,0x0b,0x62,0x25,0x17,0xae,0x5d,0x27,0xf0,0xea, + 0xaf,0x79,0x58,0xcb,0x0b,0x41,0x84,0x91,0x26,0x07,0x50,0x92,0xe8,0x6e,0x7e,0x7b, + 0xe5,0xee,0xac,0xef,0x9a,0x8e,0x3e,0xc5,0x95,0x43,0x2e,0xf6,0x19,0x85,0x8f,0xe0, + 0xd0,0x51,0x78,0x71,0xb8,0xb4,0x95,0xc0,0x1a,0xf6,0xf1,0x8d,0x4e,0x6d,0x25,0x0d, + 0xbd,0x19,0x28,0x0e,0xf4,0xf8,0xa3,0x7d,0x1b,0x59,0xa4,0x8f,0xa4,0x1b,0x83,0x1d), + }, + }, +}, +{ + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xce,0x49,0x24,0xff,0x47,0x0f,0xb9,0x9d,0x17,0xf6,0x65,0x95,0x56,0x1a,0x74,0xde, + 0xd2,0x20,0x92,0xd1,0xdc,0x27,0x12,0x2a,0xe1,0x5c,0xa8,0xca,0xc4,0xbf,0xae,0x11, + 0xda,0xa9,0xe3,0x7a,0x94,0x14,0x30,0xdd,0x1b,0x81,0xaa,0xf4,0x72,0xf3,0x20,0x83, + 0x5e,0xe2,0xfe,0x74,0x4c,0x83,0xf1,0x32,0x08,0x82,0xa8,0xa0,0x23,0x16,0xce,0xb3, + 0x75,0xf5,0xc4,0x90,0x92,0x32,0xbb,0x2c,0x65,0x20,0xb2,0x49,0xc8,0x8b,0xe4,0xf4, + 0x7b,0x8b,0x86,0xfd,0xd9,0x36,0x78,0xc6,0x9e,0x64,0xf5,0x00,0x89,0xe9,0x07,0xa5, + 0x50,0x4f,0xdd,0x43,0xf0,0xca,0xd2,0x4a,0xaa,0x9e,0x31,0x7e,0xf2,0xec,0xad,0xe3, + 0xb5,0xc1,0xfd,0x31,0xf3,0xc3,0x27,0xd7,0x0a,0x0e,0x2d,0x48,0x67,0xe6,0xfe,0x3f, + 0x26,0x27,0x2e,0x8b,0x6a,0x3c,0xce,0x17,0x84,0x3e,0x35,0x9b,0x82,0xeb,0x7a,0x4c, + 0xad,0x8c,0x42,0x46,0x01,0x79,0xcb,0x6c,0x07,0xfa,0x25,0x2e,0xfa,0xec,0x42,0x8f, + 0xd5,0xca,0xe5,0x20,0x8b,0x29,0x8b,0x25,0x51,0x09,0x02,0x6e,0x21,0x27,0x24,0x24, + 0xec,0x0c,0x52,0xe1,0xe5,0xf7,0x2c,0x5a,0xb0,0x6f,0x5d,0x2a,0x05,0xe7,0x7c,0x19, + 0x3b,0x64,0x7e,0xc9,0x48,0xbb,0x84,0x4e,0x0c,0x2e,0xf1,0x30,0x7f,0x53,0xcb,0x80, + 0x0d,0x4f,0x55,0x52,0x3d,0x86,0x03,0x8b,0xb9,0xe2,0x10,0x99,0xa8,0x61,0xb6,0xb9, + 0xbc,0xc9,0x69,0xe5,0xdd,0xdb,0xdf,0x71,0x71,0xb3,0x7d,0x61,0x63,0x81,0xb7,0x8c, + 0x3b,0x22,0xef,0x66,0x51,0x0b,0x27,0x65,0xd9,0x61,0x75,0x56,0xb1,0x75,0x59,0x98, + 0x79,0xd8,0x55,0x81,0x00,0xad,0x90,0xb8,0x30,0xe8,0x7a,0xd4,0x60,0xa2,0x21,0x08, + 0xba,0xa5,0xed,0x0f,0x2b,0xa9,0xdf,0xc0,0x51,0x67,0xf8,0xab,0x61,0xfc,0x9f,0x8a, + 0xe0,0x16,0x03,0xf9,0xdd,0x5e,0x66,0xce,0x1e,0x64,0x2b,0x60,0x4b,0xca,0x92,0x94, + 0xb5,0x7f,0xb7,0xc0,0xd8,0x3f,0x05,0x4b,0xac,0xf4,0x45,0x4c,0x29,0x8a,0x27,0x2c, + 0x44,0xbc,0x71,0x8f,0x54,0x60,0x5b,0x91,0xe0,0xbf,0xaf,0xd7,0x72,0xae,0xba,0xf3, + 0x82,0x88,0x46,0xc9,0x30,0x18,0xf9,0x8e,0x31,0x57,0x08,0xd5,0x0b,0xe8,0x40,0x1e, + 0xb9,0xa8,0x77,0x8d,0xcb,0xd0,0xd6,0xdb,0x93,0x70,0x86,0x04,0x11,0xb0,0x04,0xcd, + 0x37,0xfb,0xb8,0xb5,0xdf,0x87,0xed,0xee,0x7a,0xae,0x94,0x9f,0xff,0x34,0x60,0x7b), + .tests = { + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xfe,0x30,0x79), + .m = chunk_from_chars( + 0xe4,0x9f,0x58,0x5e,0xec,0xcf,0x2b,0xf7,0x26,0x56,0x41,0xfb,0x8c,0x0f,0x94,0xc7, + 0x17,0xe2,0xff,0x1d,0x90,0x45,0xae,0xca,0xa3,0x02,0xd2,0x85,0x35,0x3b,0x99,0x1b, + 0xf7,0xac,0x5d,0xc9,0x3b,0x31,0x1c,0xe9,0x07,0x88,0x28,0xd2,0x68,0x57,0x1f,0xf9, + 0x09,0x71,0x1e,0x5c,0x04,0x55,0x32,0x20,0xf8,0xf8,0x0f,0x78,0x5c,0xc4,0x05,0xca, + 0x13,0xe0,0x2f,0x0d,0x40,0xb2,0xee,0x76,0x5b,0xa2,0x95,0x53,0x85,0x21,0x66,0x37, + 0x18,0xea,0xbe,0x57,0x83,0x88,0x8c,0x34,0x55,0x19,0x07,0x7a,0x97,0x51,0xa1,0x28, + 0x5f,0xc2,0x36,0xf2,0xa2,0x5a,0x8a,0xe4,0x4a,0x2d,0xf2,0x47,0x88,0x74,0x51,0xc8, + 0x6c,0xd6,0x46,0xd7,0xb3,0xe7,0xa4,0x4e,0xe0,0xef,0x23,0x53,0x8e,0xec,0x55,0x7f), + .s = chunk_from_chars( + 0x4e,0x85,0xf6,0x8a,0x5b,0x06,0xb0,0x6a,0x17,0xd0,0xf3,0xf2,0x7b,0x3a,0x5a,0x11, + 0x9e,0x7d,0xb0,0x2a,0xbc,0x2d,0x9b,0x4a,0xfc,0x69,0x82,0x20,0xda,0x11,0x52,0x4a, + 0x88,0x5f,0x33,0xcd,0x7a,0x10,0xae,0x89,0xc9,0x8b,0x02,0x7b,0x69,0x22,0x4a,0xce, + 0xf4,0x71,0x3a,0x14,0x63,0xf1,0x68,0xc8,0xbe,0xf5,0x51,0xef,0x8f,0xed,0xb2,0x19, + 0xb6,0xad,0x0b,0x3e,0x99,0xd6,0x21,0x66,0x43,0xe5,0x8a,0x51,0xbb,0x2a,0xe9,0x3b, + 0xbe,0xf7,0x69,0x61,0x49,0x14,0xea,0xb1,0x37,0xc1,0x99,0x3b,0x14,0x91,0x71,0xb8, + 0x63,0x3f,0x4a,0x31,0x8f,0x69,0x77,0x29,0x96,0xef,0x7d,0xc3,0xf7,0x74,0x8f,0x37, + 0x56,0xd5,0x8e,0xcd,0xc3,0x93,0x76,0x32,0x71,0x7f,0xb4,0x0c,0xb7,0xed,0x6e,0x5c, + 0x72,0xe1,0x72,0xac,0x58,0xec,0x01,0xf4,0xe3,0x2f,0xff,0xc4,0x45,0xb6,0x0f,0x98, + 0xa6,0x28,0xfc,0x1b,0x0f,0xa4,0xcf,0xb6,0x68,0x6d,0xeb,0x12,0x59,0x50,0xb8,0x62, + 0xf3,0x47,0xe9,0xeb,0x81,0x20,0xfb,0x2b,0x5a,0xa2,0x3d,0x6d,0x86,0xea,0xf1,0xed, + 0xeb,0xeb,0x13,0x37,0x93,0x54,0x1c,0x4d,0xbe,0xa0,0xf1,0x4a,0x9f,0x74,0x73,0x3d, + 0xa4,0xed,0x11,0xd1,0x27,0x4d,0x46,0x4e,0x09,0xa5,0x78,0x08,0x43,0xd6,0x75,0x0b, + 0xac,0xe0,0xe9,0x70,0x29,0x30,0x82,0x87,0xdd,0x39,0x6e,0xfa,0x0f,0x32,0x62,0x81, + 0x71,0xfc,0x5e,0xc2,0x0d,0x3c,0x82,0x61,0x9b,0x78,0x4e,0x4c,0xdb,0x66,0xcb,0xdb, + 0x28,0xcd,0xd2,0x63,0xa4,0x6a,0x3e,0xc6,0x3e,0x1c,0xad,0x76,0x59,0xdc,0x3b,0x33, + 0x80,0x14,0x32,0xd2,0xb5,0xb5,0xe1,0x0a,0x77,0x00,0x83,0xb9,0x33,0xa8,0x05,0xa9, + 0xc7,0x6c,0xc2,0x6c,0x91,0x2f,0x95,0x2c,0xec,0x5f,0xd8,0x41,0x3a,0x8c,0x1a,0xda, + 0xee,0x80,0x14,0x9f,0xa1,0x98,0x55,0x31,0x50,0x75,0x82,0x52,0x92,0xdb,0x24,0xde, + 0x32,0x5f,0xa6,0xbf,0x3b,0x4c,0x06,0x65,0x2f,0xc8,0x32,0x0d,0xef,0x42,0x36,0xc0, + 0x88,0xdd,0x5a,0xe4,0x33,0x15,0xe0,0x36,0x72,0xfb,0x99,0x9c,0x35,0x4e,0xf6,0x1a, + 0xc3,0x80,0xb1,0xb1,0xc9,0x6d,0x71,0x1f,0xc7,0x77,0xe3,0x45,0xcc,0xb9,0x45,0x36, + 0x35,0x5a,0x32,0x14,0x66,0xee,0xdc,0xf2,0x35,0x5d,0xd5,0x1f,0x68,0x80,0x23,0xd6, + 0xb5,0x99,0x39,0x0f,0x3a,0xff,0x62,0x01,0x36,0x9d,0x81,0x03,0xaf,0x92,0x6c,0x83), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x46,0x21,0xb1,0x7c,0xd9,0xf5,0xb6,0x23,0xfe,0x73,0xb5,0xfe,0x28,0x0c,0xe9,0xac, + 0x84,0x08,0x05,0x60,0x8a,0xcd,0x6e,0x41,0xd5,0x5e,0xa7,0x11,0x32,0x22,0x0c,0x0d, + 0xf7,0xe7,0xc4,0x15,0x96,0x26,0xf1,0x0d,0x71,0x88,0x29,0x83,0xf0,0xaa,0x2a,0x92, + 0xd1,0x1d,0xc9,0x06,0xc0,0xb2,0x2c,0xc0,0x28,0xf4,0x39,0x5d,0x48,0xf5,0x4e,0x12, + 0x89,0x4e,0x33,0xda,0x0f,0x61,0x4d,0xd4,0x8e,0xe1,0x14,0xe6,0x5f,0x95,0xc7,0xa7, + 0xd3,0x58,0x5e,0x7c,0xc7,0x65,0xc0,0x01,0x78,0xd1,0x36,0xaa,0x99,0x59,0x1f,0xaa, + 0xa3,0x5e,0xe6,0x13,0x6d,0x2e,0x32,0x3f,0xfc,0x85,0x5c,0x70,0x9c,0x54,0x26,0xb3, + 0x2f,0xc0,0xaa,0x0a,0xc6,0x6e,0x90,0xc9,0x6e,0xfe,0x84,0x41,0x4d,0xd5,0xe7,0x9c), + .s = chunk_from_chars( + 0xb6,0x0a,0x4d,0xd6,0x29,0xd6,0x03,0x0f,0xe6,0x52,0x2f,0x6b,0x75,0x4f,0x0e,0x75, + 0x1d,0xe4,0xb2,0x55,0x2c,0x60,0x7e,0xfc,0xcb,0x2f,0x90,0xda,0x91,0x78,0x75,0x83, + 0xb6,0xfc,0x51,0xbc,0xb6,0x0a,0xb2,0x19,0x38,0xa4,0x8c,0xa6,0xab,0x3e,0xf8,0xab, + 0x75,0xb5,0x6a,0xbb,0x9d,0xf1,0xfa,0xa4,0xdb,0xd8,0x4b,0x41,0x20,0x66,0xf3,0xf9, + 0x2b,0xff,0x77,0x8a,0x89,0xf7,0xdf,0x4f,0x55,0x31,0x7c,0xbc,0x40,0xa7,0x80,0xfb, + 0x87,0xf0,0xc8,0x44,0xc2,0xd6,0x4e,0x23,0x24,0x74,0xa3,0xe9,0x31,0xc1,0x68,0xb3, + 0x30,0x86,0x65,0x79,0x68,0x5c,0x51,0xa5,0x93,0x7a,0x2e,0x80,0xea,0x2c,0x6e,0xd0, + 0x0f,0xe1,0x23,0xf1,0x4b,0xbe,0xf5,0x5c,0x97,0x74,0xbd,0x62,0x0e,0x1e,0x82,0x1e, + 0x01,0x28,0xcf,0x49,0xda,0xb6,0xf8,0x85,0x3c,0x08,0x80,0x1c,0x8a,0x00,0x91,0x9a, + 0x6c,0x01,0x3c,0x3a,0x83,0xf9,0x99,0xc6,0x6a,0x5c,0xb4,0x9c,0x91,0x86,0x5d,0xf6, + 0x0d,0xb8,0xbe,0x81,0x3b,0xc3,0xd8,0xb3,0x5d,0x85,0xd7,0x9c,0xf0,0x1a,0xbe,0xd2, + 0xf6,0x0f,0x60,0xed,0xc9,0x71,0x53,0x78,0x0c,0x0c,0x12,0xfe,0x45,0xe5,0xe4,0x87, + 0xfd,0x95,0x93,0x93,0x07,0x9d,0xbe,0xe5,0xaf,0x46,0xc0,0xa7,0xc4,0x21,0x4f,0xab, + 0x75,0xc5,0xb5,0xdd,0xd6,0xf0,0x28,0x86,0x69,0xe0,0xa9,0xbe,0x33,0xf4,0xb5,0x78, + 0x25,0x24,0xe8,0x38,0x31,0x5c,0xc0,0x31,0xd9,0x7b,0xeb,0x15,0x96,0x02,0x6f,0x12, + 0x9a,0x21,0xe9,0x61,0xdd,0xe6,0xbc,0x34,0xc4,0x92,0xf3,0x02,0x6a,0xf7,0xf5,0x03, + 0xb8,0xff,0x87,0xb7,0x77,0x56,0x19,0xf8,0xd1,0xe1,0x7f,0x97,0x2c,0x85,0x94,0x0a, + 0xff,0xbb,0x64,0xd3,0x31,0x0f,0xb9,0xf7,0x4d,0x9d,0x16,0xae,0xb0,0x77,0xb8,0xb9, + 0x97,0xb1,0x80,0x20,0xeb,0x99,0x2a,0xb6,0x13,0x22,0x84,0x7f,0xe6,0xcb,0x62,0xf7, + 0x3d,0x0a,0xbd,0x81,0x63,0x3a,0xc5,0xc5,0xbe,0x65,0x19,0xdd,0xbc,0x93,0x34,0xbb, + 0x56,0x44,0x9b,0xdf,0x96,0x93,0x0d,0x65,0xd8,0x06,0x1d,0xb8,0x91,0x1d,0x4e,0xd6, + 0xa5,0x9a,0xe8,0xd2,0x27,0x6d,0x04,0x59,0x6a,0x38,0x8e,0x75,0x2c,0xf9,0x9c,0xbd, + 0x39,0x5b,0x83,0x7e,0x7c,0x5a,0xee,0x27,0x8a,0x7c,0x4b,0x43,0xc7,0x8d,0x3d,0x74, + 0xc8,0x8f,0x49,0xcb,0xc8,0xd8,0x16,0xf5,0x3c,0xca,0x15,0x69,0x27,0xfb,0x92,0xd4), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x08,0x97,0xd4,0x0e,0x7c,0x0f,0x2d,0xfc,0x07,0xb0,0xc7,0xfd,0xda,0xf5,0xfd,0x8f, + 0xcc,0x6a,0xf9,0xc1,0xfd,0xc1,0x7b,0xeb,0xb9,0x23,0xd5,0x9c,0x9f,0xc4,0x3b,0xd4, + 0x02,0xba,0x39,0x73,0x8f,0x0f,0x85,0xf2,0x30,0x15,0xf7,0x51,0x31,0xf9,0xd6,0x50, + 0xa2,0x9b,0x55,0xe2,0xfc,0x9d,0x5d,0xdf,0x07,0xbb,0x8d,0xf9,0xfa,0x5a,0x80,0xf1, + 0xe4,0x63,0x4e,0x0b,0x4c,0x51,0x55,0xbf,0x14,0x89,0x39,0xb1,0xa4,0xea,0x29,0xe3, + 0x44,0xa6,0x64,0x29,0xc8,0x50,0xfc,0xde,0x73,0x36,0xda,0xd6,0x16,0xf0,0x03,0x93, + 0x78,0x39,0x1a,0xbc,0xfa,0xfe,0x25,0xca,0x7b,0xb5,0x94,0x05,0x7a,0xf0,0x7f,0xaf, + 0x7a,0x32,0x2f,0x7f,0xab,0x01,0xe0,0x51,0xc6,0x3c,0xc5,0x1b,0x39,0xaf,0x4d,0x23), + .s = chunk_from_chars( + 0x8e,0xbe,0xd0,0x02,0xd4,0xf5,0x4d,0xe5,0x89,0x8a,0x5f,0x2e,0x69,0xd7,0x70,0xed, + 0x5a,0x5c,0xe1,0xd4,0x5a,0xd6,0xdd,0x9c,0xe5,0xf1,0x17,0x9d,0x1c,0x46,0xda,0xa4, + 0xd0,0x39,0x4e,0x21,0xa9,0x9d,0x80,0x33,0x58,0xd9,0xab,0xfd,0x23,0xbb,0x53,0x16, + 0x63,0x94,0xf9,0x97,0xb9,0x09,0xe6,0x75,0x66,0x20,0x66,0x32,0x4c,0xa1,0xf2,0xb7, + 0x31,0xde,0xba,0x17,0x05,0x25,0xc4,0xee,0x8f,0xa7,0x52,0xd2,0xd7,0xf2,0x01,0xb1, + 0x02,0x19,0x48,0x9f,0x57,0x84,0xe3,0x99,0xd9,0x16,0x30,0x2f,0xd4,0xb7,0xad,0xf8, + 0x84,0x90,0xdf,0x87,0x65,0x01,0xc4,0x67,0x42,0xa9,0x3c,0xfb,0x3a,0xaa,0xb9,0x60, + 0x2e,0x65,0xd7,0xe6,0x0d,0x7c,0x4c,0xea,0xdb,0x7e,0xb6,0x7e,0x42,0x1d,0x18,0x03, + 0x23,0xa6,0xd3,0x8f,0x38,0xb9,0xf9,0x99,0x21,0x3e,0xbf,0xcc,0xc7,0xe0,0x4f,0x06, + 0x0f,0xbd,0xb7,0xc2,0x10,0x20,0x65,0x22,0xb4,0x94,0xe1,0x99,0xe9,0x8c,0x6c,0x24, + 0xe4,0x57,0xf8,0x69,0x66,0x44,0xfd,0xca,0xeb,0xc1,0xb9,0x03,0x1c,0x81,0x83,0x22, + 0xc2,0x9d,0x13,0x5e,0x11,0x72,0xfa,0x0f,0xdf,0x7b,0xe1,0x00,0x7d,0xab,0xca,0xab, + 0x49,0x66,0x33,0x2e,0x7e,0xa1,0x45,0x6b,0x6c,0xe8,0x79,0xcd,0x91,0x0c,0x91,0x10, + 0x10,0x4f,0xc7,0xd3,0xdc,0xab,0x07,0x6f,0x2b,0xd1,0x82,0xbb,0x83,0x27,0xa8,0x63, + 0x25,0x45,0x70,0xcd,0xf2,0xab,0x38,0xe0,0xcd,0xa3,0x17,0x79,0xde,0xaa,0xd6,0x16, + 0xe3,0x43,0x7e,0xd6,0x59,0xd7,0x4e,0x5a,0x4e,0x04,0x5a,0x70,0x13,0x38,0x90,0xb8, + 0x1b,0xc4,0xf2,0x4a,0xb6,0xda,0x67,0xa2,0xee,0x0c,0xe1,0x5b,0xab,0xa3,0x37,0xd0, + 0x91,0xcb,0x5a,0x1c,0x44,0xda,0x69,0x0f,0x81,0x14,0x5b,0x02,0x52,0xa6,0x54,0x9b, + 0xbb,0x20,0xcd,0x5c,0xc4,0x7a,0xfe,0xc7,0x55,0xeb,0x37,0xfe,0xd5,0x5a,0x9a,0x33, + 0xd3,0x65,0x57,0x42,0x45,0x03,0xd8,0x05,0xa0,0xa1,0x20,0xb7,0x69,0x41,0xf4,0x15, + 0x0d,0x89,0x34,0x2d,0x7a,0x7f,0xa3,0xa2,0xb0,0x8c,0x51,0x5e,0x6f,0x68,0x42,0x9c, + 0xf7,0xaf,0xd1,0xa3,0xfc,0xe0,0xf4,0x28,0x35,0x1a,0x6f,0x9e,0xda,0x3a,0xb2,0x4a, + 0x7e,0xf5,0x91,0x99,0x4c,0x21,0xfb,0xf1,0x00,0x1f,0x99,0x23,0x9e,0x88,0x34,0x0f, + 0x9b,0x35,0x9e,0xc7,0x2e,0x8a,0x21,0x2a,0x19,0x20,0xe6,0xcf,0x99,0x3f,0xf8,0x48), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x78,0x67,0xb6,0x5e,0xd9,0x82,0xed,0x6c,0xdd,0x2d,0x06,0x11,0x57,0xbe,0x90,0xf8, + 0x5b,0xcd,0x58,0x03,0x50,0xf1,0x25,0x31,0x45,0xcb,0xa5,0xc5,0x89,0x46,0xa8,0xa5, + 0x75,0x1c,0x8c,0x00,0x8d,0x9d,0xf8,0x33,0xc8,0xac,0xce,0xee,0x2b,0x0a,0x5a,0x92, + 0x9c,0xd7,0xd0,0xde,0xf6,0x55,0xf5,0xcb,0x59,0xf0,0x1c,0xb4,0xc4,0x7b,0x54,0xba, + 0xe5,0xbd,0xe0,0x67,0x2f,0x2c,0xe7,0x92,0x2e,0xf8,0x6d,0x82,0x17,0x4b,0x82,0x56, + 0xa4,0xd0,0xb9,0xa3,0x1e,0x72,0xdc,0x60,0xbb,0x66,0xde,0xff,0x2b,0x6b,0x11,0xdd, + 0x6e,0x50,0x99,0xdc,0xe8,0xb7,0x21,0x4e,0xb7,0x1a,0xcd,0x16,0x44,0x0b,0x6f,0x09, + 0x18,0xc0,0xfd,0x9b,0xf2,0xce,0x43,0xb7,0x16,0x35,0xd5,0xee,0xe7,0x9d,0x48,0xd4), + .s = chunk_from_chars( + 0x0a,0x61,0x70,0x81,0xdd,0x97,0x94,0xc9,0x37,0xe4,0xc7,0x16,0x3e,0x28,0x65,0x43, + 0x95,0x58,0xd4,0x1e,0x68,0x8b,0x23,0x0c,0x20,0xa1,0xea,0x71,0x84,0x66,0x43,0xb8, + 0x32,0x1d,0x77,0xca,0xd5,0x82,0xec,0x9a,0x70,0xf4,0x0d,0x7a,0x8e,0xd9,0xf7,0x22, + 0xc5,0xb9,0x01,0x2f,0x43,0x6c,0x7a,0x61,0x7d,0xed,0x2a,0xd1,0x86,0x43,0x45,0x7b, + 0x6f,0xd3,0x30,0x35,0xfc,0x2a,0x2c,0xbd,0x52,0xf3,0xda,0x41,0x58,0x01,0x5e,0x01, + 0xfa,0xb5,0x5b,0x4e,0x26,0xe2,0xde,0x96,0x02,0x10,0x1d,0xdb,0x86,0xe8,0xd2,0xae, + 0xb8,0x9b,0xf4,0x00,0x69,0x33,0xa1,0x1b,0x5f,0xbc,0xe2,0xbd,0x09,0xe3,0x1f,0xda, + 0x18,0xa8,0x2e,0xc4,0x05,0x91,0x0d,0xd3,0xd1,0xcf,0x1e,0x46,0x5c,0x17,0x68,0x72, + 0xda,0x3d,0xb1,0xc2,0xb3,0x08,0x9b,0x48,0xe7,0x68,0xef,0x15,0x5a,0xd5,0xf5,0x64, + 0x17,0x49,0x7a,0x64,0x8e,0xd0,0x42,0x7d,0x45,0xec,0xdd,0x03,0x8d,0x3c,0xc8,0xc8, + 0x7c,0xe9,0x9a,0x92,0xf0,0x8c,0x76,0x41,0xf7,0xfa,0x39,0xce,0xb4,0xec,0x83,0xec, + 0xe0,0x99,0x4a,0xc6,0x84,0x8b,0xb6,0xef,0xb4,0xe7,0x93,0x27,0x14,0x5e,0x53,0x96, + 0xb1,0x0f,0xaa,0x1a,0xc3,0xa6,0x3e,0xcd,0x4a,0x4a,0x2c,0x9c,0xba,0x94,0x6b,0x0e, + 0x5f,0x18,0x5b,0x2c,0xd1,0xa0,0x42,0x93,0xee,0x46,0x39,0x3d,0x37,0x4d,0xb8,0xbe, + 0x0a,0x84,0x93,0x77,0xeb,0x11,0x06,0x7e,0xad,0x3b,0x76,0xe5,0x14,0x55,0x1d,0x48, + 0x4d,0x5c,0x51,0x54,0x4a,0x1d,0x0d,0xa9,0x6c,0x17,0xb5,0xb2,0xef,0x95,0x3d,0xcd, + 0xc1,0xc6,0xd5,0x92,0x03,0x0e,0x46,0x8e,0xb8,0x18,0x6a,0x5b,0xf6,0x60,0xb7,0x1d, + 0xa5,0xd9,0x82,0xbc,0x54,0x24,0xcf,0x1a,0x4f,0x8c,0xe9,0x52,0xbc,0x76,0x3b,0x4e, + 0xaa,0xdb,0x2a,0x3f,0x78,0x7c,0x8a,0xf0,0x1d,0xf2,0xf4,0x3d,0xb5,0xe0,0xad,0x71, + 0x18,0x24,0xac,0xec,0xe2,0xd9,0x9d,0x5b,0xf9,0xfd,0xee,0x0f,0xdf,0x1f,0xdd,0x37, + 0x0e,0xc7,0x91,0xa9,0x46,0xa4,0xb6,0xaf,0x20,0xb2,0x77,0x47,0x9a,0x83,0x87,0x76, + 0xe9,0xc0,0x92,0x30,0xc3,0x63,0x25,0xb8,0xc8,0xef,0x84,0xdb,0x28,0x2f,0xe8,0x9c, + 0xed,0x24,0xb0,0xd7,0x86,0x9b,0x5d,0x24,0x6f,0xb3,0xc6,0x0f,0xcb,0x26,0x13,0x09, + 0x89,0x77,0x14,0xe8,0x70,0x19,0x5b,0x9b,0xee,0xd0,0xb2,0x65,0x80,0x0f,0xc6,0xe6), + }, + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x4d,0x36,0xeb,0x2c,0x3a,0xd2,0x33,0x43,0x69,0x23,0xe5,0x80,0xfa,0xdd,0xb4,0x5a, + 0xd3,0x59,0x67,0x10,0x8b,0xe8,0xd9,0x9a,0x87,0x67,0x45,0xdf,0x62,0x13,0xc0,0x28, + 0x92,0x9f,0x07,0xd5,0x49,0x84,0x7b,0x4f,0x9a,0x99,0x6a,0x3d,0xdd,0xe3,0x90,0xfb, + 0x54,0xae,0xde,0x47,0x0f,0xdc,0x7a,0x3e,0x0c,0x7e,0x06,0x88,0xa3,0xa1,0x25,0xcf, + 0x21,0x6a,0x3b,0x75,0xb4,0x66,0x75,0x86,0x87,0x1b,0x0a,0xeb,0x2d,0xe3,0xc0,0xe1, + 0x43,0xfa,0xb1,0xaa,0x51,0xd5,0x4f,0x82,0xf2,0xb5,0xa6,0xd5,0x35,0x7d,0xe1,0xaf, + 0x42,0xc0,0x10,0x74,0x41,0x1f,0x28,0xd1,0x77,0xd2,0x4b,0xf2,0xb2,0x84,0x4a,0xf6, + 0xe8,0x64,0x69,0xa0,0x1b,0x79,0x62,0x4f,0x7f,0x35,0xac,0x30,0xdf,0x4e,0xfc,0xb2), + .s = chunk_from_chars( + 0x81,0x38,0x92,0x2f,0xd1,0xa8,0x73,0x33,0xf1,0x31,0x6e,0x20,0x7e,0x58,0x51,0xaf, + 0x65,0xf2,0x7d,0x9f,0x5c,0xda,0x0f,0x7b,0x7c,0xab,0x00,0x54,0xa2,0xde,0xab,0x0a, + 0x5c,0x24,0x6f,0x18,0x34,0xb8,0xfa,0x0a,0x9a,0xe7,0x55,0xb6,0xad,0xd3,0xb6,0xdd, + 0x93,0xc6,0x94,0xfa,0x49,0xbe,0xa2,0x8a,0x56,0x35,0xe5,0x6d,0x98,0x41,0xd2,0x83, + 0x32,0x0e,0x7a,0x6f,0x98,0x12,0xc1,0x02,0xa6,0x0f,0xc2,0x50,0x5a,0x08,0x1e,0xe3, + 0x84,0x9f,0x81,0x51,0x91,0xb9,0xd7,0xa6,0xc4,0x1d,0xb6,0x7a,0xa1,0xa0,0x53,0xf2, + 0x2d,0x15,0x14,0x22,0x6a,0xad,0x39,0x22,0xcb,0x0b,0x5b,0xe7,0xdc,0x86,0xd6,0xcd, + 0x5d,0xaf,0x28,0xba,0xda,0x17,0x9f,0xbe,0xda,0x50,0x37,0x2b,0xce,0xe5,0xfd,0x8b, + 0x56,0x7c,0xa1,0x82,0x6b,0x08,0x1c,0xc0,0xe6,0xcf,0x58,0xcd,0x7e,0xd9,0x35,0xc6, + 0x92,0x2b,0x92,0x4b,0xed,0xd7,0xe4,0xf3,0xd4,0x8f,0x19,0x95,0xa5,0x6b,0xb1,0xd8, + 0xaf,0xf5,0x50,0x5e,0xa9,0x7c,0x56,0xcd,0xcb,0xaa,0x8e,0x93,0x25,0x4e,0x8c,0x6a, + 0x39,0xdb,0x12,0x76,0xc6,0xf5,0x3a,0x65,0x51,0xf1,0x62,0xf4,0x03,0x18,0x2b,0x4b, + 0xca,0x89,0x2a,0x6c,0xf5,0x27,0xc4,0xf9,0x62,0x96,0xb2,0xce,0x17,0xff,0xdf,0xa0, + 0x34,0x7d,0x52,0x90,0x94,0x0d,0x81,0xed,0x99,0xa3,0xe8,0xb0,0x0e,0x85,0x9d,0xc0, + 0xbc,0xb8,0x3e,0x90,0xe9,0xcd,0x9a,0x5b,0x64,0xcb,0x9d,0xb1,0xf3,0xf0,0x1d,0x26, + 0xd0,0x88,0x35,0xff,0xdf,0xe4,0x05,0x3d,0x9c,0x79,0x20,0x96,0x3b,0x07,0xfb,0x19, + 0x9e,0x5c,0x01,0xd4,0x4d,0x41,0x82,0x58,0x61,0x04,0x85,0x02,0x13,0xf8,0xca,0x60, + 0xc0,0x08,0x1e,0x62,0xb5,0xfe,0xcb,0xad,0x7e,0xce,0xd9,0x3c,0x35,0xa1,0x37,0x4d, + 0x27,0xb6,0x71,0x50,0xdd,0xfb,0x44,0xac,0x68,0xf6,0xaa,0x00,0xb5,0x5e,0x38,0xe6, + 0x81,0xb4,0x56,0xe6,0x06,0x55,0x26,0x1d,0x8d,0xae,0x04,0x7d,0x67,0xa4,0xee,0x2c, + 0x55,0xec,0xf2,0x13,0x57,0x1d,0xa1,0xdf,0x54,0x9a,0x48,0x89,0xea,0x3a,0x28,0x5b, + 0x5b,0x2f,0xe0,0x70,0x7d,0x74,0xd4,0x70,0xc7,0xec,0xe3,0xa2,0x15,0x26,0xf5,0xd4, + 0xaf,0x70,0x85,0xdd,0x11,0xe6,0xaf,0x40,0x51,0x52,0xa0,0x51,0x10,0xfc,0xd6,0xaa, + 0x06,0xce,0x93,0xf1,0xd2,0xba,0xba,0x3e,0xd5,0xdb,0x73,0x29,0x3f,0x97,0x7e,0xf1), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0xe2,0xa9,0x2b,0x14,0x3c,0x8a,0x00,0x6c,0xee,0x8a,0xfe,0xbb,0x66,0x31,0x19,0x74, + 0x5d,0x26,0xf4,0xff,0xac,0xaa,0x53,0x5c,0x61,0x65,0xd3,0x0a,0x12,0x65,0xd9,0x27, + 0x71,0x64,0xc8,0xd8,0x21,0x49,0x77,0xeb,0xc8,0xf2,0xe2,0xbb,0x66,0x31,0x1f,0x54, + 0xe5,0x14,0x94,0xd8,0xf1,0x6a,0x68,0x22,0x09,0x82,0x37,0xa8,0xd6,0x36,0x0a,0xa6, + 0xbc,0x28,0x86,0x79,0xb0,0x4c,0x63,0x48,0x49,0xa7,0x20,0xea,0x19,0x56,0xf5,0x04, + 0x3d,0xd1,0x0a,0x72,0x33,0x71,0xe6,0xe9,0xec,0x30,0x2a,0xda,0x22,0xb1,0x7f,0x99, + 0xec,0x80,0xcd,0xbe,0x90,0x9a,0xae,0xcc,0x98,0x30,0x22,0x10,0x28,0xa8,0x84,0xcc, + 0x8e,0xe5,0xbc,0x95,0x1b,0xc8,0xb7,0xfa,0x31,0xf6,0x14,0x66,0x9e,0xdc,0x20,0x48), + .s = chunk_from_chars( + 0xc8,0x1a,0xc3,0x94,0xf8,0x2c,0xb2,0x7d,0x75,0x95,0x07,0x59,0x22,0x4b,0x17,0x87, + 0xf8,0x72,0x25,0xae,0x55,0x49,0xbe,0x13,0xdc,0x1f,0x74,0x32,0x6e,0xb6,0x68,0xe5, + 0xe0,0x9d,0x03,0xe0,0x3e,0xcf,0x03,0x9f,0xd0,0x8d,0xc3,0x01,0xe7,0x0b,0xd0,0x79, + 0x92,0xb2,0x0a,0x27,0x57,0xb5,0x76,0x6b,0xf6,0x22,0x05,0x2d,0x69,0xfb,0xfb,0xfa, + 0xca,0x96,0x4d,0xa3,0x3a,0xf7,0x1c,0x87,0x87,0xeb,0xa9,0xed,0x5c,0xaf,0x1b,0xf8, + 0x6e,0x48,0x58,0x7d,0x26,0xb2,0x1f,0x9f,0x1b,0xe6,0x01,0x24,0x6e,0x1d,0x9c,0xdc, + 0xea,0x9a,0xf7,0x79,0x6a,0xe3,0x0d,0xd6,0xbc,0xbf,0x1b,0x25,0x73,0x4f,0x89,0xe8, + 0x6a,0xe9,0x05,0x1c,0x7a,0x2c,0xf3,0x73,0x09,0x14,0x40,0x6f,0x15,0x41,0xbe,0xed, + 0x81,0x2a,0xc6,0xc9,0xe1,0x8c,0xfd,0x5b,0xf2,0x65,0x52,0x33,0x60,0x01,0x88,0x60, + 0x14,0x1b,0xcf,0xc5,0x1c,0x89,0xef,0x87,0x96,0x36,0xae,0x2d,0x7f,0x7e,0x41,0xe3, + 0x13,0x37,0xf7,0xaf,0xc3,0xe2,0x01,0xc6,0x80,0x5a,0x76,0xaf,0x89,0xdc,0x9e,0xa7, + 0x74,0x13,0xbe,0x1f,0x13,0x38,0xe8,0x45,0xe9,0xd1,0x6c,0xf8,0x6e,0x5e,0x04,0xa5, + 0x2d,0x8b,0x57,0x94,0x21,0x29,0x6f,0xa7,0x02,0xad,0x07,0xec,0xbf,0xa0,0x23,0x7a, + 0xc9,0x96,0xee,0x2e,0x91,0xee,0xac,0x8e,0xf4,0x89,0x02,0xa7,0x6c,0x94,0x7b,0x50, + 0x1e,0x26,0x5c,0x4b,0x3f,0xbd,0x0c,0x51,0x6a,0x04,0x16,0xea,0x13,0xc7,0x9b,0x7e, + 0x5d,0x5b,0x94,0x35,0xae,0xf3,0xf3,0x71,0xd3,0x8f,0xf9,0xdf,0x8f,0xdd,0xed,0x2f, + 0x26,0x5b,0x27,0xda,0x5a,0x84,0xfe,0x54,0x43,0x63,0x5e,0x26,0x08,0x07,0xdb,0x9a, + 0x15,0x51,0x38,0x7e,0x6c,0x9c,0x59,0x64,0x98,0xd2,0x80,0xd9,0x17,0x0d,0xaa,0x62, + 0x95,0x4e,0xd3,0x2b,0x14,0xd0,0x44,0x98,0x0e,0xca,0x76,0xa8,0xdb,0x63,0x48,0x3d, + 0x8c,0x4c,0xbf,0xa6,0x69,0xec,0x14,0x0e,0x7c,0x4a,0x30,0x4c,0xc1,0x5e,0x46,0x8d, + 0x96,0xff,0xf3,0x4d,0x77,0x69,0x25,0x81,0xb1,0x0e,0x7d,0x25,0xef,0x07,0x5d,0x65, + 0x27,0x58,0xf5,0x0e,0x9a,0xc4,0xcf,0x98,0x48,0x46,0x63,0x88,0x05,0x15,0x18,0xcf, + 0x93,0xe1,0x83,0xf9,0x10,0xa4,0xf5,0x03,0xfb,0xeb,0x65,0x4f,0x4b,0x94,0x24,0xdb, + 0xad,0xf6,0x1d,0x2d,0x50,0xf6,0x0f,0x8f,0x02,0xb4,0xea,0x0e,0x7b,0xc3,0xb3,0x98), + }, + }, +}, +{ + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0x99,0xa5,0xc8,0xd0,0x94,0xa5,0xf9,0x17,0x03,0x46,0x67,0xa0,0x40,0x8b,0x7e,0xcf, + 0xca,0xac,0xc3,0xf9,0x78,0x44,0x44,0xe2,0x17,0x73,0xc3,0x46,0x1e,0xc3,0x55,0xf0, + 0xd0,0xf5,0x2a,0x5d,0xb0,0x56,0x8a,0x71,0xd3,0x88,0x69,0x67,0x88,0xef,0x66,0xae, + 0x73,0x40,0xc6,0xb2,0x8d,0xbf,0x92,0x5f,0xe8,0x35,0x57,0x98,0x65,0x75,0xf7,0x9c, + 0xca,0x69,0x21,0x72,0x21,0x39,0x7e,0xd5,0x80,0x8a,0x26,0xf7,0xe7,0xe7,0x14,0xc9, + 0x32,0x35,0xf9,0x14,0xd4,0x5c,0x4a,0x9a,0xf4,0x61,0x9b,0x20,0xf5,0x11,0xad,0x64, + 0x4b,0xd3,0x41,0x2d,0xfd,0xf0,0xff,0x71,0x7f,0x7a,0xac,0x74,0x6f,0x31,0x0b,0xfa, + 0x9a,0x14,0x1a,0xc3,0xdb,0xf0,0x1c,0x1f,0xc7,0x4f,0xeb,0xd1,0x97,0x93,0x84,0x19, + 0xc2,0x62,0x29,0x35,0x05,0xc3,0x5f,0x40,0x2f,0x90,0x53,0xad,0x13,0xc5,0x1a,0x59, + 0x60,0xec,0xde,0x55,0xec,0x82,0x9e,0x95,0x3f,0x94,0x1a,0xf7,0x33,0xe5,0x87,0x05, + 0x91,0x37,0x67,0xe7,0xa7,0x20,0x0d,0x1d,0x09,0xe7,0xe7,0xe2,0xd2,0x69,0xfa,0x29, + 0xa5,0x58,0xbb,0x16,0x30,0x4b,0x05,0x9f,0x13,0xf4,0xca,0x56,0x0a,0x81,0x01,0xfe, + 0x37,0x20,0xb4,0xa7,0x79,0xec,0x12,0x64,0x27,0x32,0x6c,0xaa,0x13,0x2a,0x3d,0x36, + 0x11,0xd7,0xdb,0xc5,0x03,0x36,0xfa,0xc7,0x89,0xec,0x40,0x6b,0x39,0x7e,0x1e,0x36, + 0xd7,0xda,0xf9,0xb6,0x24,0xbf,0x63,0x9c,0x82,0xb8,0x59,0x28,0x87,0x47,0x69,0x0c, + 0x73,0x0c,0x98,0x0b,0x2f,0x5a,0x23,0x9d,0xd9,0x5a,0xd5,0x38,0x9a,0x2e,0xc9,0x0c, + 0x57,0x78,0x60,0x47,0x13,0x71,0x03,0x83,0xae,0x55,0xd4,0xd2,0x8c,0x06,0xd4,0xac, + 0x26,0xf0,0xd1,0x23,0x1f,0x1d,0x67,0x62,0xc8,0xe0,0xd9,0x18,0x11,0x81,0x56,0xbc, + 0x63,0x77,0x60,0xda,0xea,0x18,0x47,0x46,0xb8,0xdc,0xf6,0xf6,0x1d,0xb2,0x74,0xa7, + 0xdd,0xce,0xaa,0x07,0x49,0x37,0xab,0xab,0xad,0x45,0x49,0xb9,0x7a,0xb9,0x92,0x49, + 0x4a,0x80,0x72,0x08,0xab,0xd7,0x89,0x82,0x3f,0x5d,0x75,0xc4,0xb9,0x94,0x08,0x9c, + 0x80,0x72,0xcf,0xc2,0x54,0xe0,0xd8,0x20,0x2f,0xd8,0x96,0x47,0x6e,0x96,0xad,0x9d, + 0x30,0x9a,0x0e,0x8e,0x73,0x01,0x28,0x2f,0x07,0xeb,0x2a,0xe8,0xed,0xef,0xb7,0xdb, + 0xbe,0x13,0xb9,0x6e,0x8b,0x40,0x24,0xc6,0xb8,0x4d,0xe0,0xa0,0x5e,0x15,0x02,0x85), + .tests = { + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x4d,0x44,0x66,0x5e,0x0e,0x29,0x87,0xcf,0x7d,0xd1,0xe9,0xd6,0x20,0x01,0x51,0xf5, + 0x00,0xea,0x3b,0x85,0xa2,0x4f,0x72,0xfb,0x38,0xe5,0xdd,0x69,0x19,0xff,0x9c,0x48, + 0x6f,0x6a,0x54,0x74,0x2f,0x96,0xc6,0x78,0x4f,0xf7,0xa7,0x0c,0x33,0xab,0xab,0xdc, + 0x68,0x5d,0xe4,0x8b,0x94,0x69,0x4a,0xf8,0xad,0x41,0x9b,0xc0,0x6a,0x0f,0x65,0x04, + 0xf7,0x9c,0x60,0x6c,0xed,0x70,0x02,0x6b,0x81,0x3b,0x4e,0xc5,0xfc,0x73,0xed,0x4f, + 0x6b,0x3f,0x7f,0xf6,0x97,0x94,0x33,0x03,0x37,0x9d,0x95,0x9e,0x65,0x61,0xa8,0x90, + 0x4f,0xa0,0x35,0x4d,0x2f,0xfd,0x62,0x31,0x7d,0x63,0x86,0x0a,0x62,0xa1,0x3c,0xd7, + 0x71,0x57,0xb7,0xcf,0x92,0x16,0x55,0xa5,0x3e,0xc3,0x76,0x0b,0xf2,0x3c,0x8e,0x75), + .s = chunk_from_chars( + 0x4f,0x48,0xe5,0x1a,0x04,0x1e,0x40,0xa0,0x29,0xd5,0x86,0xcb,0x7a,0xfd,0x7e,0xc1, + 0x10,0x31,0xf8,0x6d,0x7b,0xee,0x58,0xfc,0x13,0xa9,0x22,0x7d,0xd2,0x09,0xf1,0xd7, + 0xbe,0xcf,0x32,0x09,0xcd,0x43,0x05,0x5e,0x93,0x16,0x5f,0x04,0xf2,0x32,0x76,0xd4, + 0x6b,0x0b,0x64,0x66,0x9b,0x88,0xc2,0xba,0x54,0xad,0x6b,0xcb,0x5e,0x9d,0xa8,0x18, + 0x10,0x01,0x4e,0x14,0x0e,0xd0,0xa1,0x42,0x34,0xb1,0xfc,0x0f,0xa4,0xcf,0xa4,0xf2, + 0x58,0xa7,0xb5,0xcf,0x73,0xa3,0x36,0x53,0x4f,0x37,0x58,0x0a,0x38,0x30,0x87,0x5f, + 0x31,0x19,0x09,0x2e,0x48,0x54,0xfa,0x80,0xd8,0x78,0x33,0xf7,0xe9,0x62,0x7a,0xb5, + 0x1e,0x05,0x6a,0x8d,0xef,0xf3,0xa4,0x51,0xe8,0xaa,0xd7,0x83,0x35,0x81,0x6b,0x53, + 0xae,0x0d,0x89,0x9b,0x06,0x07,0x40,0x3b,0xf0,0x8e,0x8c,0x32,0xe1,0xcf,0x0b,0xaa, + 0x8f,0xe0,0xd7,0x8d,0x1b,0x8d,0x72,0xf8,0x5f,0x17,0xc1,0xc5,0xb8,0x87,0x0c,0xec, + 0x49,0x94,0x97,0xb4,0x2d,0xe9,0x82,0x40,0x8f,0xba,0xdb,0xe3,0xb4,0x5a,0x13,0xb4, + 0xb5,0x37,0x1c,0xe2,0xa4,0xd9,0x60,0x0b,0x7d,0x14,0x01,0x16,0x25,0xcb,0xe7,0x3a, + 0x79,0x31,0x39,0x54,0xf4,0xf3,0xec,0x0b,0x3b,0xf6,0xdc,0x94,0x52,0x97,0x32,0x5e, + 0x3a,0xaf,0x5b,0xc8,0x9a,0x27,0x67,0x0f,0x5b,0x25,0x36,0xa5,0x4c,0xae,0xa3,0xbc, + 0x66,0x41,0xae,0x62,0x8a,0x9a,0x4d,0xa6,0x1d,0xe7,0x49,0x66,0x1a,0x93,0xb6,0xae, + 0x68,0x72,0x2d,0x10,0xd7,0x90,0x2b,0x39,0x1f,0x9e,0x9e,0xbf,0x3a,0xb9,0xc1,0x86, + 0x01,0x7b,0x52,0xea,0xc6,0xfd,0x44,0x2a,0x25,0x6f,0xe7,0xc9,0x50,0x01,0x65,0xe3, + 0xc7,0xa4,0x02,0xaa,0x01,0x74,0xe6,0xb6,0xf3,0x5e,0x4e,0x12,0xe3,0x5a,0x9d,0x42, + 0x9b,0x21,0xf6,0xcc,0x98,0xeb,0xa7,0x3c,0x80,0xed,0x8a,0xc3,0x3a,0xcd,0x79,0x48, + 0x8e,0x62,0x0b,0x27,0x49,0x23,0xe7,0x8c,0xe5,0xd9,0x1a,0x61,0x96,0xca,0x59,0x05, + 0x4f,0xa7,0x7c,0xd6,0x7e,0x0d,0x3f,0xc0,0x4d,0x71,0xb9,0x4b,0x0c,0xda,0x54,0x78, + 0xf1,0xb3,0xd6,0x91,0x50,0xf4,0x09,0x27,0xc1,0xab,0x39,0x20,0x36,0x58,0x36,0x09, + 0xd8,0xef,0xda,0x3f,0xe4,0x86,0x43,0xef,0x2f,0x75,0xf1,0x16,0x4e,0xa7,0xf2,0x55, + 0x89,0xb5,0xbb,0xb5,0x60,0xc9,0xa0,0x42,0x40,0x8f,0x85,0x94,0x4c,0xa0,0x8f,0x92), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x1a,0xbc,0xa8,0xd8,0x1c,0xc9,0x8a,0x5d,0x50,0x20,0xe9,0x50,0x80,0xb5,0xfc,0xe5, + 0x9f,0xfe,0x70,0xdc,0xff,0x54,0x48,0x02,0xc4,0x9d,0xe7,0xfa,0x99,0x28,0x6b,0x3d, + 0xa1,0xd8,0x3d,0x60,0xb0,0x85,0xe6,0x96,0xbc,0x9f,0x25,0x75,0x8e,0x14,0x3e,0xfd, + 0xbd,0x74,0x94,0xd6,0xdd,0x54,0x7a,0xd9,0xf4,0xf0,0x47,0xd2,0x2d,0x14,0xa8,0x84, + 0xd1,0x3c,0x3b,0xee,0x72,0xfa,0x59,0xcd,0x6a,0x98,0x33,0x62,0x84,0xfe,0x20,0x75, + 0xf8,0xd7,0x35,0x9a,0x9d,0xf0,0x17,0xb3,0x5a,0xe0,0x0d,0xb6,0xdd,0xee,0x59,0xb1, + 0x90,0x2f,0xc9,0x0b,0xc9,0xef,0x89,0x0c,0x42,0x52,0x3b,0x9f,0xc8,0x3b,0x49,0x57, + 0x37,0x6d,0x7a,0xb1,0xa5,0xf1,0xc4,0x99,0xde,0xb7,0x62,0x2f,0x11,0x80,0x26,0xca), + .s = chunk_from_chars( + 0x85,0xe1,0x57,0x65,0xa4,0x01,0xc1,0x0d,0x86,0xac,0xf3,0xa0,0x5f,0xab,0x14,0xe0, + 0x54,0x87,0xb7,0x93,0x56,0x9a,0xe6,0x80,0xf7,0x7d,0x20,0xc2,0x5b,0x17,0x63,0xd1, + 0x84,0x63,0x4f,0xa0,0xb0,0x1d,0x97,0x9d,0xce,0x9d,0x80,0x36,0x70,0xd7,0xf9,0xf6, + 0xad,0xcd,0x59,0x47,0x6f,0xb1,0xc8,0xc3,0xaa,0xe5,0x12,0xf9,0x4a,0x9c,0xcf,0x6e, + 0x57,0x3a,0xee,0x6a,0x28,0xc0,0xdc,0xfd,0x2d,0xae,0x85,0x22,0x68,0x5f,0x03,0xec, + 0xec,0x8c,0x04,0x50,0x36,0xd1,0xcb,0x05,0x4a,0x08,0x64,0x54,0xa2,0x83,0x26,0xd5, + 0x31,0x9b,0xc7,0x00,0x4b,0xc8,0x7c,0x75,0x66,0xa5,0x68,0x52,0x55,0x8f,0x58,0x3a, + 0x38,0xa4,0xe7,0xe7,0xbe,0x79,0x81,0xdc,0xf3,0xec,0x41,0xc1,0x23,0x45,0xf8,0x45, + 0x40,0x97,0x92,0xed,0x87,0xb3,0xf1,0xb8,0xfc,0x89,0xc2,0x88,0xa2,0x96,0x8e,0x73, + 0x27,0x3a,0x36,0xf2,0xb6,0x72,0x58,0xfc,0x67,0xe8,0x88,0x60,0x85,0x66,0xa2,0x3a, + 0x6a,0x56,0x45,0x32,0x8f,0x1e,0xdd,0x8c,0x10,0x59,0x93,0xb4,0x86,0xeb,0x33,0x35, + 0x23,0x22,0x12,0xa1,0xdc,0xfd,0x5d,0xa4,0x0f,0xb3,0x90,0x2f,0xd2,0xcf,0xa8,0x6e, + 0x85,0x88,0xeb,0x3c,0x40,0xdf,0x8d,0x9e,0xdf,0x3c,0x41,0x93,0x4c,0xe9,0x1b,0x50, + 0xc0,0xd5,0xca,0x1a,0x38,0x40,0xca,0x40,0xe3,0xc8,0x41,0xb3,0x95,0x20,0xcb,0x5e, + 0x56,0x54,0xaf,0x39,0x61,0xec,0x94,0x08,0xd2,0x2e,0xdb,0x34,0x50,0x27,0xee,0xa7, + 0x11,0x9d,0xd5,0x52,0x65,0x63,0x42,0xe3,0x16,0xc6,0x0c,0x5f,0x5d,0xa0,0x28,0x30, + 0x8b,0x03,0x1b,0xac,0xc7,0x4d,0x1f,0xdd,0x69,0x07,0xbc,0x69,0x44,0xfb,0x85,0x60, + 0x82,0xcb,0x14,0xf1,0x2c,0xb5,0x09,0xca,0x4e,0xfb,0x51,0x6e,0xd0,0xc6,0x08,0x96, + 0x77,0x1b,0x47,0x84,0x42,0x02,0x69,0x13,0xe6,0x1a,0x32,0x61,0x1d,0xde,0x1a,0x88, + 0x07,0xf2,0xe1,0xcb,0x76,0xd0,0xc0,0xc6,0x9c,0x70,0x5b,0xeb,0x8f,0xe7,0x13,0xe8, + 0x48,0xcc,0x03,0xb1,0xef,0x89,0x65,0x26,0x7c,0xfc,0x3e,0xbd,0x43,0xf0,0x00,0x1b, + 0x33,0xb9,0xe9,0xad,0x41,0x8e,0xe0,0xd5,0x92,0xf1,0x84,0xd2,0x02,0x33,0x1d,0x4b, + 0x51,0xa9,0x6a,0x17,0xb0,0x14,0xd4,0x71,0x38,0xf2,0x8c,0xaa,0x39,0xd9,0xdf,0xbd, + 0xa6,0x08,0x94,0x95,0x6d,0x0c,0x04,0x3e,0x42,0x92,0x87,0x7f,0x04,0x4b,0x55,0xa2), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x20,0x85,0xe8,0xb9,0x46,0xd2,0x05,0x97,0x52,0xf8,0xf0,0xfe,0xe5,0x28,0xe7,0xc4, + 0xcc,0x0a,0xc1,0xfa,0x24,0x53,0x2c,0x1e,0xc2,0x9a,0x3a,0x92,0xd2,0x68,0x1c,0x4d, + 0xbd,0x8e,0x2d,0xd1,0x51,0xbb,0x32,0x5d,0x1c,0x4d,0xdf,0x63,0x18,0x68,0x9e,0x3c, + 0x8e,0x45,0x8d,0x1b,0x34,0xcd,0xc5,0x40,0x98,0x67,0xe2,0x6e,0xc2,0x0e,0xc0,0x9e, + 0x15,0xa6,0x82,0xf5,0x77,0x90,0xd9,0xf4,0xb2,0x7c,0x83,0xef,0x19,0x7e,0x11,0xc0, + 0x6e,0x65,0xee,0xbc,0x03,0x48,0x9d,0xe6,0x20,0x61,0x42,0x63,0xa5,0x1e,0x64,0x2e, + 0xf0,0x76,0xf1,0x0d,0x01,0x7a,0x82,0xc4,0xdc,0x2c,0xe1,0x88,0x2f,0x93,0xc9,0xb6, + 0x35,0x0f,0xec,0xc5,0xda,0xeb,0x3a,0x7a,0x20,0x31,0x61,0x5a,0xc1,0xc2,0x90,0x65), + .s = chunk_from_chars( + 0x65,0xbd,0x57,0xd4,0xa3,0x74,0x95,0xd5,0x4e,0xec,0x7f,0x63,0x21,0xf7,0x10,0x1a, + 0x46,0x43,0xd9,0x43,0x2a,0x2a,0xfc,0x8e,0xaa,0x14,0x7f,0xb2,0x9e,0x7a,0xb1,0x10, + 0x6e,0xb3,0x1a,0x6e,0xa7,0xae,0x3b,0x48,0xe4,0x0d,0xe6,0x3c,0xc3,0x68,0xe7,0xa6, + 0xdf,0x4c,0x99,0x82,0x59,0xc5,0x9c,0xe4,0x0b,0x8a,0xc2,0xf8,0x76,0x3b,0xee,0x91, + 0x92,0x41,0x7d,0x20,0x20,0xcb,0xe1,0x79,0xbb,0xa8,0xae,0xe9,0xbe,0x89,0x71,0x46, + 0x6f,0x5e,0x53,0xb3,0xf8,0x20,0x04,0xab,0x6a,0xa5,0x29,0xd0,0x85,0x45,0xbd,0x89, + 0x44,0x35,0xd8,0xdc,0xee,0xb3,0xa8,0xe9,0x05,0x91,0x6b,0xbd,0xb0,0x15,0xbf,0xf6, + 0x5e,0x9e,0x79,0x2a,0x88,0xe1,0xc8,0x44,0x9f,0x41,0x1e,0xda,0xcb,0xa5,0x04,0xcd, + 0x07,0x30,0x60,0x5d,0xc8,0x3f,0xee,0x64,0xf8,0xdd,0x17,0xf5,0x77,0x07,0x56,0x94, + 0x40,0x2f,0x18,0x62,0x79,0x0d,0x96,0x29,0xf9,0xfa,0x8a,0xc3,0xab,0x4e,0xe3,0x41, + 0xdd,0x39,0x79,0xeb,0x17,0x15,0xc4,0xf7,0x42,0xfb,0xd8,0x9b,0xa3,0xb9,0x05,0x65, + 0xea,0x45,0x87,0x43,0x85,0x62,0x49,0x3f,0x61,0x1d,0x5a,0xc9,0x98,0x9f,0xd4,0x05, + 0xa0,0x1d,0x23,0xb1,0x34,0x69,0xa2,0xa7,0xa8,0x5b,0x00,0x47,0x48,0x3a,0x66,0x5c, + 0xe3,0x89,0x9a,0x41,0x21,0x07,0xca,0xcc,0x11,0x08,0x7c,0xb2,0x60,0x7b,0xa9,0xd0, + 0x40,0x91,0xc4,0x18,0x24,0x72,0x42,0xcd,0x8d,0x81,0x9a,0xe1,0x7e,0x49,0xa2,0x1b, + 0xc4,0xf9,0x66,0xac,0x3d,0x37,0xd2,0xa6,0x1a,0x8b,0xfe,0xed,0xe0,0xf2,0xef,0x2d, + 0xa3,0xaa,0x32,0xbc,0x38,0xab,0xb6,0xa1,0x6a,0x44,0x75,0xe9,0x67,0x2c,0x4a,0xaa, + 0x31,0xd2,0xe8,0x27,0x7f,0x3d,0xd9,0x66,0x3f,0x39,0x60,0xf1,0x6c,0x01,0x99,0x8d, + 0x50,0xa9,0x9b,0xcc,0x68,0x1e,0xa0,0x2b,0x13,0x75,0x55,0xaf,0x2c,0xdd,0x28,0xea, + 0x43,0x28,0x15,0x88,0x06,0x6b,0xc5,0x5c,0x8f,0x7a,0xab,0x45,0xde,0xdf,0xa2,0xf6, + 0xbe,0xfb,0x5b,0x13,0x91,0x1c,0xb9,0xce,0xc2,0xb3,0xfb,0x07,0xbc,0x00,0xb2,0xda, + 0xca,0xff,0x82,0x37,0x20,0x1d,0x3e,0xbe,0xac,0x57,0x50,0x83,0x01,0x16,0x24,0xb4, + 0xbe,0x01,0x83,0x79,0x51,0x4d,0xec,0x97,0x20,0x9f,0xaa,0x29,0xb1,0xf9,0x3f,0xda, + 0x75,0xf0,0x77,0x0f,0x3c,0x73,0xe7,0x00,0xa2,0xe4,0x84,0x53,0x06,0x7c,0x90,0x9e), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0xcc,0x21,0x59,0x3a,0x6a,0x0f,0x73,0x7e,0x29,0x70,0xb7,0xc0,0x79,0x84,0xb0,0x70, + 0xd7,0x61,0x72,0x62,0x96,0xa0,0x7e,0x24,0xe0,0x56,0xe6,0x8f,0xf8,0x46,0xb2,0x9c, + 0xc1,0x54,0x81,0x79,0x84,0x3d,0x74,0xdc,0xee,0x86,0x47,0x98,0x58,0xb2,0xc1,0x6e, + 0x4c,0xb8,0x4f,0x25,0x44,0xb4,0xec,0xdc,0xb4,0xdd,0x43,0xa0,0x4b,0xb7,0x18,0x3a, + 0x76,0x8a,0xe4,0x4a,0x27,0x12,0xbf,0x9a,0xd4,0x78,0x83,0xac,0xc2,0x81,0x2f,0x95, + 0x83,0x06,0x89,0x0e,0xbe,0xa4,0x08,0xc9,0x2e,0xb4,0xf0,0x01,0xed,0x7d,0xbf,0x55, + 0xf3,0xa9,0xc8,0xd6,0xd9,0xf6,0x1e,0x5f,0xe3,0x2e,0xb3,0x25,0x3e,0x59,0xc1,0x8e, + 0x86,0x31,0x69,0x47,0x8c,0xd6,0x9b,0x91,0x55,0xc3,0x35,0xdb,0x66,0x01,0x6f,0x96), + .s = chunk_from_chars( + 0x0a,0xa5,0x72,0xa6,0x84,0x5b,0x87,0x0b,0x89,0x09,0xa6,0x83,0xbb,0x7e,0x6e,0x76, + 0x16,0xf7,0x7b,0xef,0xf2,0x87,0x46,0x11,0x6d,0x8b,0xc4,0xb7,0x33,0x55,0x46,0xb5, + 0x1e,0x80,0x06,0xed,0x0f,0xc9,0xa0,0xd6,0x6f,0x63,0xce,0x0b,0x9e,0xbf,0x79,0x2d, + 0x7e,0xfd,0x43,0x05,0xd7,0x62,0x4d,0x54,0x54,0x00,0xa5,0xfd,0x6a,0x06,0xb7,0x8f, + 0x17,0x4b,0x86,0x80,0x3f,0x7c,0xd1,0xcc,0x93,0xe3,0xa9,0x72,0x86,0xf0,0xea,0x59, + 0x0e,0x40,0xff,0x26,0x19,0x5a,0xa2,0x19,0xfe,0x15,0x10,0xa0,0x16,0x78,0x52,0x23, + 0x60,0x6d,0x93,0x11,0xa1,0x6c,0x59,0xa8,0xfe,0x4a,0x6d,0xa6,0xec,0xd0,0xc1,0xd7, + 0x77,0x50,0x39,0x29,0x0c,0x2a,0xaa,0x17,0xed,0x1e,0xb1,0xb5,0x43,0x74,0xf7,0xe5, + 0x72,0xdb,0x13,0xcc,0xa3,0xa6,0x38,0x57,0x5f,0x80,0x04,0xaa,0x54,0xa2,0xfa,0x98, + 0x42,0x2f,0xc0,0x7e,0x43,0xad,0x3a,0x20,0xdd,0x93,0x00,0x14,0x93,0x44,0x26,0x77, + 0xd8,0x83,0x91,0x4d,0xc7,0x4e,0xc1,0xcb,0xeb,0xbb,0xd3,0xd2,0xb6,0xba,0xd4,0x66, + 0x6d,0x91,0x45,0x7b,0x69,0xb4,0x6a,0x1a,0x61,0xf2,0x12,0x98,0xf1,0xa6,0x79,0x42, + 0xec,0x86,0xc8,0x76,0x32,0x2d,0xd3,0x66,0xed,0x16,0x78,0x14,0xe9,0xc8,0xfc,0x90, + 0x40,0xc5,0xb4,0xb7,0xa8,0x59,0xbb,0xd8,0x80,0xcb,0x6b,0xc2,0x41,0xb9,0xe3,0x27, + 0xce,0x77,0x9e,0x07,0x83,0xb1,0xcf,0x44,0x5e,0x0b,0x2f,0x57,0x71,0xb3,0xf5,0x82, + 0x2a,0x13,0x64,0x39,0x1c,0x15,0x4d,0xc5,0x06,0xff,0xf1,0xfb,0x9d,0x9a,0x35,0xf8, + 0x01,0x99,0xa6,0xb3,0x0b,0x4b,0x92,0xb9,0x26,0x19,0xa4,0x0e,0x21,0xae,0xa1,0x92, + 0x84,0x01,0x58,0x63,0xc4,0x48,0x66,0xc6,0x1e,0xd9,0x04,0xa7,0xad,0x19,0xee,0x04, + 0xd9,0x66,0xc0,0xaa,0xe3,0x90,0x63,0x62,0x43,0x56,0x55,0x81,0xff,0x20,0xbd,0x6e, + 0x3c,0xfb,0x6e,0x31,0xf5,0xaf,0xba,0x96,0x4b,0x31,0x1d,0xc2,0xd0,0x23,0xa2,0x19, + 0x98,0xc8,0xdd,0x50,0xca,0x45,0x36,0x99,0x19,0x0b,0xd4,0x67,0x42,0x9e,0x2f,0x88, + 0xac,0xe2,0x9c,0x4d,0x1d,0xa4,0xda,0x61,0xaa,0xc1,0xed,0xa2,0x38,0x02,0x30,0xaa, + 0x8d,0xbb,0x63,0xc7,0x5a,0x3c,0x1e,0xc0,0x4d,0xa3,0xa1,0xf8,0x80,0xc9,0xc7,0x47, + 0xac,0xdb,0x74,0xa8,0x39,0x5a,0xf5,0x8f,0x5f,0x04,0x40,0x15,0xcc,0xaf,0x6e,0x94), + }, + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xa4,0x5b,0x6b), + .m = chunk_from_chars( + 0xa5,0x89,0xc8,0x78,0x8c,0x95,0x99,0x61,0xfe,0xf9,0x86,0x94,0xbb,0xfe,0xff,0xce, + 0x5d,0x69,0x07,0x18,0x99,0xad,0x96,0x9a,0xc2,0x5f,0x3c,0xb4,0x8e,0xea,0x08,0x4b, + 0x1d,0x84,0xa8,0x61,0x37,0x61,0xd1,0xe9,0xd6,0x26,0xe2,0xd9,0xe4,0xa0,0xc4,0x80, + 0x45,0xb6,0x14,0x1a,0x18,0x9c,0x84,0xa2,0x3a,0x4a,0x7e,0xe7,0x0c,0x2d,0x0b,0xe2, + 0x77,0x1c,0xf4,0x47,0x2d,0x8d,0x27,0x5a,0x31,0x09,0x5b,0x04,0x99,0xdd,0xf7,0x26, + 0x93,0x13,0x30,0x2d,0xa6,0xa0,0x72,0xe7,0x3a,0xdf,0x02,0x95,0x5b,0x3e,0xe1,0x41, + 0xba,0x38,0xf3,0x51,0xf4,0x83,0x60,0x5d,0x17,0x8a,0x3b,0x3e,0x63,0x1d,0x62,0x67, + 0x4d,0x67,0xa5,0x79,0xca,0x21,0x2a,0x11,0xc9,0x06,0x0f,0xe4,0x01,0x87,0x52,0x0f), + .s = chunk_from_chars( + 0x06,0x24,0x18,0x75,0x08,0x45,0xd3,0x29,0x1e,0x63,0x3e,0x47,0x40,0x64,0x80,0xe3, + 0x2f,0xa2,0x98,0x02,0x75,0xf2,0xe4,0xac,0x79,0xd2,0x84,0xad,0x83,0xed,0x11,0x19, + 0x0e,0x7b,0x85,0xbf,0xd6,0xed,0x9b,0xcf,0xf6,0x33,0x45,0x58,0x2f,0xcc,0xd8,0x8a, + 0x57,0x89,0x41,0xab,0xb9,0x87,0xd2,0xdc,0xb5,0x49,0xa0,0xac,0x2e,0xd5,0xfe,0x7c, + 0xe8,0x25,0x7b,0xb1,0xe6,0x28,0x81,0x55,0xff,0xf3,0xdc,0x9b,0xc1,0x14,0x0f,0x27, + 0x77,0xa8,0x45,0x75,0x98,0x63,0x60,0xd0,0x76,0x60,0x5e,0x65,0x5c,0x9d,0x73,0xf9, + 0xbf,0x01,0x0a,0x43,0x7e,0xb7,0xb2,0x80,0xd6,0x10,0x83,0x74,0xce,0x8d,0xa4,0xc7, + 0x02,0xf6,0x6a,0x9d,0x1d,0x01,0xb1,0x41,0xc6,0xa6,0x98,0x72,0x9d,0x0f,0xcd,0xb0, + 0x63,0x1b,0x21,0x57,0x8d,0xde,0xd7,0x21,0xef,0x5c,0x49,0x08,0x12,0x26,0x6c,0xf6, + 0xf0,0x12,0x70,0xa8,0xc6,0xc2,0xf0,0x84,0x66,0xc9,0xb3,0xc6,0x26,0xc0,0xf1,0xed, + 0xeb,0x5b,0x4f,0xb3,0x2e,0x95,0x8a,0x4a,0x38,0x8c,0x6c,0x6e,0x73,0xb5,0x3a,0x50, + 0x61,0x37,0x35,0x43,0x58,0xbd,0x00,0xbb,0xd2,0x05,0x8c,0x9c,0x12,0x79,0x04,0x10, + 0xa4,0x5f,0x43,0x48,0x75,0x48,0x44,0xb3,0x57,0xc4,0xe1,0x7f,0xb3,0x8c,0x8c,0xac, + 0x87,0xa6,0xbe,0x3c,0xd0,0x6a,0x08,0x94,0x3d,0xb0,0xe8,0xb8,0x67,0xd4,0x73,0xe7, + 0xd3,0x58,0x1e,0xd2,0xa3,0x2d,0x25,0xd7,0xb4,0x5e,0xec,0xf8,0xfe,0xa1,0x0d,0x0a, + 0xde,0x1c,0x88,0x85,0x91,0xc7,0x1f,0xc8,0x6a,0xbd,0x14,0x46,0xfa,0xdc,0xa2,0x88, + 0x1d,0xe8,0x7a,0x6d,0x05,0x56,0x6c,0x50,0x00,0xc1,0xe0,0x75,0xb0,0xc1,0xc5,0x48, + 0x1f,0xfb,0x6e,0x98,0x2a,0x3f,0x8f,0x44,0xfa,0x8a,0xd0,0xb6,0xa9,0x2f,0x1c,0xde, + 0xdd,0x9c,0x38,0xd3,0x26,0xa6,0xef,0xad,0x9d,0x03,0x59,0xa6,0x9a,0xf4,0x20,0x34, + 0xb7,0xa4,0xac,0x38,0x8f,0x9c,0x7d,0x35,0x6e,0xdf,0x4d,0x6e,0x45,0x50,0xad,0xde, + 0xcc,0x71,0x92,0x24,0x2b,0x3b,0x1f,0xc4,0x16,0x46,0x02,0x91,0x9d,0x34,0x11,0xed, + 0x43,0xe2,0xb3,0x94,0x86,0x7b,0xf8,0x40,0xea,0x61,0x75,0x0b,0xac,0x4f,0x1b,0x72, + 0xd2,0x8a,0xf3,0x5e,0xb0,0xb3,0xaa,0xf6,0xee,0xd6,0x54,0xd1,0xde,0x88,0x32,0x40, + 0xc0,0xe2,0x23,0x4e,0xa2,0xdd,0xf6,0xf8,0x93,0x4c,0xdc,0xac,0xea,0x80,0x2e,0x26), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x70,0xa4,0xa8,0x98,0x02,0x85,0x68,0x69,0x9c,0xcd,0x8a,0x53,0x28,0x8a,0x74,0x78, + 0x51,0x88,0x4d,0xb2,0x97,0x1a,0xb1,0x7a,0xa1,0x16,0xa9,0x09,0xd4,0x22,0xda,0xbc, + 0x24,0x2e,0xfc,0xbd,0x2a,0x42,0x8e,0xe0,0x77,0x7a,0xc8,0xcb,0x29,0x4f,0xd2,0x5a, + 0xbc,0x17,0x33,0x42,0x22,0xcf,0x8c,0xf4,0x15,0x19,0x86,0xc4,0xac,0x81,0x09,0x4a, + 0x2c,0x04,0xaf,0x08,0x21,0xd3,0x78,0x4e,0xae,0x54,0xbf,0x5b,0x22,0x6a,0x6c,0xc5, + 0xcb,0xf6,0x6c,0x1b,0x0f,0x9e,0x5e,0xc8,0xb8,0xcd,0x8f,0x3a,0x90,0xfa,0x29,0x44, + 0x2e,0x2e,0xa7,0xc1,0x0f,0xc0,0x8c,0x7b,0xe9,0x63,0x55,0x4b,0x3b,0x64,0xac,0x81, + 0x29,0x2c,0xde,0x85,0x87,0x0c,0x8f,0xbf,0x34,0x3a,0xad,0xb5,0xa9,0x16,0xa2,0x73), + .s = chunk_from_chars( + 0x07,0x88,0x43,0xb0,0x4c,0x98,0x55,0xe6,0x0b,0x09,0x65,0x97,0x0e,0x34,0x85,0xa8, + 0x51,0x70,0x33,0xef,0xb5,0x7b,0x77,0x31,0x50,0x48,0x3e,0x7d,0x79,0xa5,0x49,0xd2, + 0x17,0x15,0x9f,0xc1,0x94,0xc7,0x8d,0x1d,0x7e,0xb8,0x72,0xad,0xe2,0x31,0xd1,0xc9, + 0x5d,0xaf,0xcb,0x7d,0x52,0x92,0xd7,0xb1,0x13,0xa9,0x95,0x67,0xf4,0x92,0xcd,0x84, + 0x6f,0x88,0xcd,0xc1,0xd0,0x35,0xa0,0x4a,0xe6,0xa5,0xef,0x28,0xa8,0x67,0x33,0x87, + 0xa2,0x47,0x9c,0x3e,0x0c,0x5a,0x12,0x04,0xbf,0x13,0x60,0x2b,0x49,0x09,0x7f,0xd4, + 0xbe,0xc1,0x62,0x84,0x56,0x6c,0x36,0xe4,0x5e,0xa3,0x96,0x35,0x67,0xf3,0x6d,0xae, + 0xe1,0xee,0x86,0x69,0x71,0x37,0xcb,0x25,0x82,0x58,0xb5,0xc3,0x18,0x92,0x6f,0xed, + 0x50,0x5c,0xd6,0x78,0x4c,0xcc,0x95,0xde,0x4e,0xdc,0x20,0x34,0xe6,0x45,0x21,0x27, + 0x6f,0x90,0x55,0x82,0x44,0x79,0xb4,0xab,0xd5,0x1a,0x73,0x15,0xe8,0x1e,0x20,0x4d, + 0xc0,0x0f,0x4b,0x07,0x7f,0x26,0xea,0x0a,0x72,0x56,0xbc,0xfb,0x0e,0xdf,0x88,0x62, + 0x4c,0x4e,0x3a,0x05,0x99,0x14,0xb7,0x5d,0xdf,0xcf,0x94,0x5c,0x56,0x20,0xeb,0x6b, + 0x06,0xb3,0x01,0x1e,0x4b,0xab,0xc2,0x68,0x57,0xbd,0xd9,0xbb,0x06,0x5d,0xfd,0xe5, + 0x15,0xc3,0x7e,0xaa,0x6a,0xd8,0x35,0x90,0x53,0x75,0x66,0x68,0x0a,0xd1,0xd7,0x76, + 0x06,0x78,0x27,0x28,0x8c,0x80,0x49,0x7b,0x76,0xc4,0x89,0xcb,0x39,0x76,0x2d,0xc1, + 0x99,0x7f,0xaa,0x41,0x08,0x6b,0x1e,0x37,0x7d,0x3c,0x9c,0xb2,0x9e,0x45,0x99,0xde, + 0xa3,0xb1,0x23,0xd8,0x50,0x46,0x3e,0xd2,0x00,0x87,0xfa,0x74,0x4a,0x54,0x81,0xa4, + 0x53,0x7a,0x62,0x52,0xae,0xa0,0xbc,0x18,0xb2,0xbc,0x96,0x2d,0xeb,0x58,0x9a,0xe5, + 0x3a,0x88,0x23,0x9e,0xac,0x7e,0x79,0x06,0xf4,0xb1,0x6e,0x68,0xc0,0xe7,0xde,0x24, + 0x78,0xc4,0xe4,0xda,0x86,0x90,0x08,0xa6,0x54,0x55,0xc6,0x91,0x54,0x7b,0x16,0xa9, + 0xd9,0x64,0xfe,0x0f,0xaa,0xac,0x4a,0xbb,0x22,0x30,0x9e,0x07,0x53,0x40,0x8e,0x22, + 0xa8,0x66,0x8c,0x0e,0x96,0x68,0x1f,0x0f,0xed,0xf3,0xad,0xeb,0xd7,0xc3,0xc6,0xea, + 0x0b,0x45,0x2e,0x07,0xa6,0xd9,0x4d,0x94,0x37,0xe8,0xb0,0x3e,0x7b,0x26,0x20,0x3a, + 0xff,0x7c,0x17,0x06,0xb5,0x8a,0x20,0x56,0x86,0x42,0xa8,0x71,0x9b,0x98,0x38,0xf0), + }, + }, +}, +}; + +START_TEST(test_verify_pss) +{ + public_key_t *pubkey; + bool result; + int i; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + for (i = 0; i < countof(pss_verify[_i].tests); i++) + { + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pss_verify[_i].n, + BUILD_RSA_PUB_EXP, pss_verify[_i].tests[i].e, + BUILD_END); + ck_assert(pubkey != NULL); + result = pubkey->verify(pubkey, SIGN_RSA_EMSA_PSS, + &pss_verify[_i].params, + pss_verify[_i].tests[i].m, + pss_verify[_i].tests[i].s); + fail_unless(result == pss_verify[_i].tests[i].exp, + "verify %N [%d]", signature_scheme_names, + SIGN_RSA_EMSA_PSS, i); + pubkey->destroy(pubkey); + } +} +END_TEST + Suite *rsa_suite_create() { Suite *s; @@ -395,5 +5188,23 @@ Suite *rsa_suite_create() tcase_add_loop_test(tc, test_load, 0, countof(keys)); suite_add_tcase(s, tc); + tc = tcase_create("sign"); + tcase_add_checked_fixture(tc, setup_keys, teardown_keys); + tcase_add_loop_test(tc, test_sign_pkcs15_2048, 0, countof(pkcs15_2048)); + tcase_add_loop_test(tc, test_sign_pkcs15_3072, 0, countof(pkcs15_3072)); + suite_add_tcase(s, tc); + + tc = tcase_create("sign pss"); + tcase_add_checked_fixture(tc, setup_keys_pss, teardown_keys_pss); + tcase_add_loop_test(tc, test_sign_pss_2048, 0, countof(pss_sign_2048)); + tcase_add_loop_test(tc, test_sign_pss_3072, 0, countof(pss_sign_3072)); + tcase_add_loop_test(tc, test_sign_pss_no_salt, 0, countof(pss_sign_ns)); + suite_add_tcase(s, tc); + + tc = tcase_create("verify"); + tcase_add_loop_test(tc, test_verify_pkcs15, 0, countof(pkcs15_verify)); + tcase_add_loop_test(tc, test_verify_pss, 0, countof(pss_verify)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c new file mode 100644 index 000000000..38cb5803f --- /dev/null +++ b/src/libstrongswan/tests/suites/test_signature_params.c @@ -0,0 +1,461 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <asn1/oid.h> +#include <asn1/asn1.h> +#include <credentials/keys/signature_params.h> + +static struct { + chunk_t aid; + rsa_pss_params_t params; +} rsa_pss_parse_tests[] = { + /* from RFC 7427, no parameters (empty sequence) */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* from RFC 7427, default parameters (SHA-1), would actually not be sent + * like this, as corrected in errata */ + { chunk_from_chars(0x30,0x3e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x31,0xa0, + 0x0b,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0xa1,0x18,0x30,0x16, + 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,0x09,0x06,0x05,0x2b, + 0x0e,0x03,0x02,0x1a,0x05,0x00,0xa2,0x03,0x02,0x01,0x14,0xa3,0x03,0x02,0x01,0x01), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* from RFC 7427, SHA-256 */ + { chunk_from_chars(0x30,0x46,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x39,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20,0xa3,0x03,0x02,0x01,0x01), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + /* from RFC 7427, SHA-256 (errata, without trailer, with len corrections) */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + /* SHA-512 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x40), + { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA512, }}, + /* SHA-256, no salt */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 0, }}, + /* only hash specified */ + { chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, + 0x05,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* only mgf specified */ + { chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA1, }}, + /* only salt specified */ + { chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05,0xa2, + 0x03,0x02,0x01,0x20), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA256, }}, +}; + +START_TEST(test_rsa_pss_params_parse) +{ + rsa_pss_params_t parsed; + chunk_t params; + int oid; + + oid = asn1_parse_algorithmIdentifier(rsa_pss_parse_tests[_i].aid, 0, ¶ms); + ck_assert_int_eq(OID_RSASSA_PSS, oid); + ck_assert(rsa_pss_params_parse(params, 1, &parsed)); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.hash, parsed.hash); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.mgf1_hash, parsed.mgf1_hash); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.salt_len, parsed.salt_len); +} +END_TEST + +chunk_t rsa_pss_parse_invalid_tests[] = { + /* unknown hash */ + chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x00, + 0x05,0x00), + /* unknown mgf */ + chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x00, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + /* unknown mgf-1 hash */ + chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x00,0x05,0x00), + /* incorrect trailer */ + chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05, + 0xa3,0x03,0x02,0x01,0x02), + /* too long trailer */ + chunk_from_chars(0x30,0x13,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x06, + 0xa3,0x04,0x02,0x02,0x01,0x01), +}; + +START_TEST(test_rsa_pss_params_parse_invalid) +{ + rsa_pss_params_t parsed; + chunk_t params; + int oid; + + oid = asn1_parse_algorithmIdentifier(rsa_pss_parse_invalid_tests[_i], 0, ¶ms); + ck_assert_int_eq(OID_RSASSA_PSS, oid); + ck_assert(!rsa_pss_params_parse(params, 1, &parsed)); +} +END_TEST + +static struct { + chunk_t aid; + rsa_pss_params_t params; +} rsa_pss_build_tests[] = { + /* default parameters -> empty sequence */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* SHA-256 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-1 */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-224 */ + { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00, + 0xa2,0x03,0x02,0x01,0x1c), + { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-384 */ + { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00, + 0xa2,0x03,0x02,0x01,0x30), + { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* SHA-512 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x40), + { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* SHA-256, no salt */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 0, }}, + /* SHA-256, rest default */ + { chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, + 0x05,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* MGF1-SHA-256, rest default */ + { chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA1, }}, + /* only salt specified */ + { chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05,0xa2, + 0x03,0x02,0x01,0x20), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA256, }}, +}; + +START_TEST(test_rsa_pss_params_build) +{ + chunk_t params, aid; + + ck_assert(rsa_pss_params_build(&rsa_pss_build_tests[_i].params, ¶ms)); + aid = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_RSASSA_PSS), + params); + ck_assert_chunk_eq(rsa_pss_build_tests[_i].aid, aid); + chunk_free(&aid); +} +END_TEST + +rsa_pss_params_t rsa_pss_build_invalid_tests[] = { + /* unknown hash */ + { .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }, + /* invalid mgf */ + { .hash = HASH_SHA256, .mgf1_hash = HASH_UNKNOWN, .salt_len = HASH_SIZE_SHA256, }, +}; + +START_TEST(test_rsa_pss_params_build_invalid) +{ + chunk_t params; + + ck_assert(!rsa_pss_params_build(&rsa_pss_build_invalid_tests[_i], ¶ms)); +} +END_TEST + +static rsa_pss_params_t rsa_pss_params_sha1 = { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }; +static rsa_pss_params_t rsa_pss_params_sha256 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }; +static rsa_pss_params_t rsa_pss_params_sha256_mgf1 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA256, }; +static rsa_pss_params_t rsa_pss_params_sha256_salt = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }; + +static struct { + bool equal; + bool complies; + signature_params_t a; + signature_params_t b; +} params_compare_tests[] = { + { TRUE, TRUE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA1, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { TRUE, TRUE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_mgf1 }, }, + { FALSE, TRUE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha1 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, }, }, +}; + +START_TEST(test_params_compare) +{ + bool res; + + res = signature_params_equal(¶ms_compare_tests[_i].a, + ¶ms_compare_tests[_i].b); + ck_assert(res == params_compare_tests[_i].equal); + res = signature_params_comply(¶ms_compare_tests[_i].a, + ¶ms_compare_tests[_i].b); + ck_assert(res == params_compare_tests[_i].complies); + res = signature_params_comply(¶ms_compare_tests[_i].b, + ¶ms_compare_tests[_i].a); + ck_assert(res == params_compare_tests[_i].complies); +} +END_TEST + +START_TEST(test_params_compare_null) +{ + ck_assert(signature_params_equal(NULL, NULL)); + ck_assert(!signature_params_equal(¶ms_compare_tests[0].a, NULL)); + ck_assert(!signature_params_equal(NULL, ¶ms_compare_tests[0].a)); +} +END_TEST + +static struct { + signature_params_t src; + signature_params_t res; +} params_clone_tests[] = { + { { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { { .scheme = SIGN_RSA_EMSA_PSS }, { .scheme = SIGN_RSA_EMSA_PSS }, }, + { { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, }, + { { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }, }, +}; + +START_TEST(test_params_clone) +{ + signature_params_t *clone = NULL; + + clone = signature_params_clone(¶ms_clone_tests[_i].src); + ck_assert(signature_params_equal(clone, ¶ms_clone_tests[_i].res)); + signature_params_destroy(clone); +} +END_TEST + +START_TEST(test_params_clone_null) +{ + signature_params_t *clone = NULL; + + clone = signature_params_clone(clone); + ck_assert(!clone); + signature_params_destroy(clone); +} +END_TEST + +START_TEST(test_params_clear) +{ + signature_params_t *clone; + + clone = signature_params_clone(¶ms_clone_tests[_i].src); + signature_params_clear(clone); + ck_assert_int_eq(clone->scheme, SIGN_UNKNOWN); + ck_assert(!clone->params); + free(clone); +} +END_TEST + +START_TEST(test_params_clear_null) +{ + signature_params_t *clone = NULL; + + signature_params_clear(clone); +} +END_TEST + +START_TEST(test_params_parse_rsa_pss) +{ + signature_params_t parsed, res = { .scheme = SIGN_RSA_EMSA_PSS, }; + + ck_assert(signature_params_parse(rsa_pss_parse_tests[_i].aid, 0, &parsed)); + res.params = &rsa_pss_parse_tests[_i].params; + ck_assert(signature_params_equal(&parsed, &res)); + signature_params_clear(&parsed); +} +END_TEST + +START_TEST(test_params_parse_rsa_pss_invalid) +{ + signature_params_t parsed; + + ck_assert(!signature_params_parse(rsa_pss_parse_invalid_tests[_i], 0, &parsed)); +} +END_TEST + +static struct { + bool valid; + chunk_t aid; + signature_params_t params; +} params_parse_tests[] = { + { TRUE, chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00), + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }}, + { TRUE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02), + { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }}, + { FALSE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0xff), }, +}; + +START_TEST(test_params_parse_other) +{ + signature_params_t parsed; + + if (params_parse_tests[_i].valid) + { + ck_assert(signature_params_parse(params_parse_tests[_i].aid, 0, &parsed)); + ck_assert(signature_params_equal(&parsed, ¶ms_parse_tests[_i].params)); + signature_params_clear(&parsed); + } + else + { + ck_assert(!signature_params_parse(params_parse_tests[_i].aid, 0, &parsed)); + } +} +END_TEST + +START_TEST(test_params_build_rsa_pss) +{ + signature_params_t scheme = { .scheme = SIGN_RSA_EMSA_PSS, }; + chunk_t aid; + + scheme.params = &rsa_pss_build_tests[_i].params; + ck_assert(signature_params_build(&scheme, &aid)); + ck_assert_chunk_eq(rsa_pss_build_tests[_i].aid, aid); + chunk_free(&aid); +} +END_TEST + +START_TEST(test_params_build_rsa_pss_invalid) +{ + signature_params_t scheme = { .scheme = SIGN_RSA_EMSA_PSS, }; + chunk_t aid; + + scheme.params = &rsa_pss_build_invalid_tests[_i]; + ck_assert(!signature_params_build(&scheme, &aid)); +} +END_TEST + +static struct { + bool valid; + signature_params_t params; + chunk_t aid; +} params_build_tests[] = { + { TRUE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, + chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00), }, + { TRUE, { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }, + chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02), }, + { FALSE, { .scheme = SIGN_UNKNOWN, }, }, +}; + +START_TEST(test_params_build_other) +{ + chunk_t aid; + + if (params_build_tests[_i].valid) + { + ck_assert(signature_params_build(¶ms_build_tests[_i].params, &aid)); + ck_assert_chunk_eq(params_build_tests[_i].aid, aid); + chunk_free(&aid); + } + else + { + ck_assert(!signature_params_build(¶ms_build_tests[_i].params, &aid)); + } +} +END_TEST + +Suite *signature_params_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("signature params"); + + tc = tcase_create("rsa/pss parse"); + tcase_add_loop_test(tc, test_rsa_pss_params_parse, 0, countof(rsa_pss_parse_tests)); + tcase_add_loop_test(tc, test_rsa_pss_params_parse_invalid, 0, countof(rsa_pss_parse_invalid_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("rsa/pss build"); + tcase_add_loop_test(tc, test_rsa_pss_params_build, 0, countof(rsa_pss_build_tests)); + tcase_add_loop_test(tc, test_rsa_pss_params_build_invalid, 0, countof(rsa_pss_build_invalid_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("params compare"); + tcase_add_loop_test(tc, test_params_compare, 0, countof(params_compare_tests)); + tcase_add_test(tc, test_params_compare_null); + suite_add_tcase(s, tc); + + tc = tcase_create("params clone"); + tcase_add_loop_test(tc, test_params_clone, 0, countof(params_clone_tests)); + tcase_add_test(tc, test_params_clone_null); + suite_add_tcase(s, tc); + + tc = tcase_create("params clear"); + tcase_add_loop_test(tc, test_params_clear, 0, countof(params_clone_tests)); + tcase_add_test(tc, test_params_clear_null); + suite_add_tcase(s, tc); + + tc = tcase_create("parse"); + tcase_add_loop_test(tc, test_params_parse_rsa_pss, 0, countof(rsa_pss_parse_tests)); + tcase_add_loop_test(tc, test_params_parse_rsa_pss_invalid, 0, countof(rsa_pss_parse_invalid_tests)); + tcase_add_loop_test(tc, test_params_parse_other, 0, countof(params_parse_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("build"); + tcase_add_loop_test(tc, test_params_build_rsa_pss, 0, countof(rsa_pss_build_tests)); + tcase_add_loop_test(tc, test_params_build_rsa_pss_invalid, 0, countof(rsa_pss_build_invalid_tests)); + tcase_add_loop_test(tc, test_params_build_other, 0, countof(params_build_tests)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c index a5f30d251..93361f9bf 100644 --- a/src/libstrongswan/tests/suites/test_traffic_selector.c +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -25,6 +25,11 @@ static void verify(const char *str, const char *alt, traffic_selector_t *ts) { char buf[512]; + if (!str) + { + ck_assert_msg(!ts, "traffic selector not null: %R", ts); + return; + } snprintf(buf, sizeof(buf), "%R", ts); DESTROY_IF(ts); if (!streq(buf, str) && (!alt || !streq(buf, alt))) @@ -48,12 +53,14 @@ START_TEST(test_create_from_string) verify("fec1::1..fec1::ffff:ffff:ffff:ffff", NULL, traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE, "fec1::1", 0, "fec1::ffff:ffff:ffff:ffff", 65535)); - - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, 0, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, 0, "10.1.0.0", 80, "10.1.255.255", 80)); - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, "a.b.c.d", 80, "10.1.255.255", 80)); - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, "10.1.0.0", 80, "a.b.c.d", 80)); } END_TEST @@ -62,13 +69,17 @@ START_TEST(test_create_from_cidr) { verify("10.1.0.0/16", NULL, traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535)); + verify("10.1.0.1/32[udp]", "10.1.0.1/32[17]", + traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, + 0, 65535)); verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]", traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235)); verify("10.1.0.0/16[OPAQUE]", NULL, traffic_selector_create_from_cidr("10.1.0.0/16", 0, 65535, 0)); - ck_assert(!traffic_selector_create_from_cidr("a.b.c.d/16", 0, 0, 65535)); + verify(NULL, NULL, + traffic_selector_create_from_cidr("a.b.c.d/16", 0, 0, 65535)); } END_TEST @@ -78,14 +89,20 @@ START_TEST(test_create_from_bytes) traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); - - ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x0a,0x01,0x00,0x00), 0, + chunk_from_chars(0x0a,0x01,0xff,0xff,0xff), 65535)); + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, chunk_empty, 0, chunk_empty, 65535)); - ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); - ck_assert(!traffic_selector_create_from_bytes(0, 0, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, 0, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); } @@ -117,6 +134,7 @@ struct { { "128.0.0.0/4", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x80), }, { "172.16.0.0/12", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0xac,0x10), }, { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00), }, + { NULL, 0, chunk_from_chars(0x00), }, /* FIXME: not a correct encoding, so we might want to fail here */ { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, {NULL, 0}, }, { "2001:0:2::/48", TS_IPV6_ADDR_RANGE, chunk_from_chars(0x00,0x20,0x01,0x00,0x00,0x00,0x02),}, @@ -411,6 +429,7 @@ struct { { "0.0.0.0/0", "fec2::1", FALSE }, { "::/0", "1.2.3.4", FALSE }, { "10.0.0.0/16", "10.1.0.0", FALSE }, + { "10.1.0.0/16", "10.0.255.255", FALSE }, { "fec2::/64", "fec2:0:0:1::afaf", FALSE }, }; @@ -469,6 +488,7 @@ struct { } is_host_tests[] = { { "0.0.0.0/0", "192.168.1.2", FALSE, FALSE }, { "::/0", "fec2::1", FALSE, FALSE }, + { "192.168.1.0/24", "192.168.1.0", FALSE, FALSE }, { "192.168.1.2/32", "192.168.1.2", TRUE, TRUE }, { "192.168.1.2/32", "192.168.1.1", FALSE, TRUE }, { "192.168.1.2/32", "fec2::1", FALSE, TRUE }, diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index de7b470d2..353010aaf 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -115,6 +115,54 @@ START_TEST(test_timeval_add_ms) END_TEST /******************************************************************************* + * timespan_from_string + */ + +static struct { + char *s; + char *u; + bool v; + time_t t; +} ts_data[] = { + {NULL, NULL, FALSE, 0}, + {"", NULL, FALSE, 0}, + {"a", NULL, FALSE, 0}, + {"0", NULL, TRUE, 0}, + {"5", NULL, TRUE, 5}, + {"5s", NULL, TRUE, 5}, + {"5m", NULL, TRUE, 300}, + {"5ms", NULL, TRUE, 300}, + {"5h", NULL, TRUE, 18000}, + {"5d", NULL, TRUE, 432000}, + {"5x", NULL, FALSE, 0}, + {"5", "", TRUE, 5}, + {"5", "m", TRUE, 300}, + {"5", "ms", TRUE, 300}, + {"5", "x", FALSE, 0}, + {"5x", "m", FALSE, 0}, + {"18446744073709551616", NULL, FALSE, 0}, +}; + +START_TEST(test_timespan_from_string) +{ + time_t val = 42; + + ck_assert(timespan_from_string(ts_data[_i].s, ts_data[_i].u, + NULL) == ts_data[_i].v); + ck_assert(timespan_from_string(ts_data[_i].s, ts_data[_i].u, + &val) == ts_data[_i].v); + if (ts_data[_i].v) + { + ck_assert_int_eq(val, ts_data[_i].t); + } + else + { + ck_assert_int_eq(val, 42); + } +} +END_TEST + +/******************************************************************************* * htoun/untoh */ @@ -856,15 +904,20 @@ END_TEST static struct { key_type_t type; int size; - signature_scheme_t expected[4]; + signature_scheme_t expected[7]; } scheme_data[] = { - {KEY_RSA, 1024, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, - SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 2048, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, - SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 4096, { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + {KEY_RSA, 1024, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_UNKNOWN }}, + {KEY_RSA, 2048, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_UNKNOWN }}, + {KEY_RSA, 4096, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 8192, { SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, + {KEY_RSA, 8192, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, @@ -880,16 +933,16 @@ static struct { START_TEST(test_signature_schemes_for_key) { enumerator_t *enumerator; - signature_scheme_t scheme; + signature_params_t *params; int i; enumerator = signature_schemes_for_key(scheme_data[_i].type, scheme_data[_i].size); for (i = 0; scheme_data[_i].expected[i] != SIGN_UNKNOWN; i++) { - ck_assert(enumerator->enumerate(enumerator, &scheme)); - ck_assert_int_eq(scheme_data[_i].expected[i], scheme); + ck_assert(enumerator->enumerate(enumerator, ¶ms)); + ck_assert_int_eq(scheme_data[_i].expected[i], params->scheme); } - ck_assert(!enumerator->enumerate(enumerator, &scheme)); + ck_assert(!enumerator->enumerate(enumerator, ¶ms)); enumerator->destroy(enumerator); } END_TEST @@ -921,6 +974,10 @@ Suite *utils_suite_create() tcase_add_test(tc, test_timeval_add_ms); suite_add_tcase(s, tc); + tc = tcase_create("timespan_from_string"); + tcase_add_loop_test(tc, test_timespan_from_string, 0, countof(ts_data)); + suite_add_tcase(s, tc); + tc = tcase_create("htoun,untoh"); tcase_add_test(tc, test_htoun); tcase_add_test(tc, test_untoh); diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index ed77b3c86..b9a0fe6d6 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -386,9 +386,28 @@ static void collect_failure_info(array_t *failures, char *name, int i) } /** + * Collect warning information, add failure_t to array + */ +static bool collect_warning_info(array_t *warnings, char *name, int i) +{ + failure_t warning = { + .name = name, + .i = i, + }; + + warning.line = test_warning_get(warning.msg, sizeof(warning.msg), + &warning.file); + if (warning.line) + { + array_insert(warnings, -1, &warning); + } + return warning.line; +} + +/** * Print array of collected failure_t to stderr */ -static void print_failures(array_t *failures) +static void print_failures(array_t *failures, bool warnings) { failure_t failure; @@ -397,8 +416,16 @@ static void print_failures(array_t *failures) while (array_remove(failures, 0, &failure)) { - fprintf(stderr, " %sFailure in '%s': %s (", - TTY(RED), failure.name, failure.msg); + if (warnings) + { + fprintf(stderr, " %sWarning in '%s': %s (", + TTY(YELLOW), failure.name, failure.msg); + } + else + { + fprintf(stderr, " %sFailure in '%s': %s (", + TTY(RED), failure.name, failure.msg); + } if (failure.line) { fprintf(stderr, "%s:%d, ", failure.file, failure.line); @@ -423,9 +450,10 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) enumerator_t *enumerator; test_function_t *tfun; int passed = 0; - array_t *failures; + array_t *failures, *warnings; failures = array_create(sizeof(failure_t), 0); + warnings = array_create(sizeof(failure_t), 0); fprintf(stderr, " Running case '%s': ", tcase->name); fflush(stderr); @@ -470,7 +498,14 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) if (!leaks) { rounds++; - fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF)); + if (!collect_warning_info(warnings, tfun->name, i)) + { + fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF)); + } + else + { + fprintf(stderr, "%s~%s", TTY(YELLOW), TTY(DEF)); + } } } else @@ -497,8 +532,10 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) fprintf(stderr, "\n"); - print_failures(failures); + print_failures(warnings, TRUE); + print_failures(failures, FALSE); array_destroy(failures); + array_destroy(warnings); return passed == array_count(tcase->functions); } diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c index 8541cdaef..412d9fbf6 100644 --- a/src/libstrongswan/tests/test_suite.c +++ b/src/libstrongswan/tests/test_suite.c @@ -50,6 +50,21 @@ static backtrace_t *failure_backtrace; static bool worker_failed; /** + * Warning message buf + */ +static char warning_buf[4096]; + +/** + * Source file warning was issued + */ +static const char *warning_file; + +/** + * Line of source file warning was issued + */ +static int warning_line; + +/** * See header. */ test_suite_t* test_suite_create(const char *name) @@ -419,6 +434,21 @@ void test_fail_vmsg(const char *file, int line, char *fmt, va_list args) test_failure(); } + +/** + * See header. + */ +void test_warn_msg(const char *file, int line, char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vsnprintf(warning_buf, sizeof(warning_buf), fmt, args); + warning_line = line; + warning_file = file; + va_end(args); +} + /** * See header. */ @@ -449,6 +479,25 @@ int test_failure_get(char *msg, int len, const char **file) /** * See header. */ +int test_warning_get(char *msg, int len, const char **file) +{ + int line = warning_line; + + if (!line) + { + return 0; + } + strncpy(msg, warning_buf, len - 1); + msg[len - 1] = 0; + *file = warning_file; + /* reset state */ + warning_line = 0; + return line; +} + +/** + * See header. + */ backtrace_t *test_failure_backtrace() { backtrace_t *bt; diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h index 97c1b42c1..9b9fcad85 100644 --- a/src/libstrongswan/tests/test_suite.h +++ b/src/libstrongswan/tests/test_suite.h @@ -220,6 +220,17 @@ void test_setup_timeout(int s); int test_failure_get(char *msg, int len, const char **file); /** + * Get info about a warning if one was issued during the test. Resets the + * warning state. + * + * @param msg buffer receiving warning + * @param len size of msg buffer + * @param file pointer receiving source code file + * @return source code line number, 0 if no warning issued + */ +int test_warning_get(char *msg, int len, const char **file); + +/** * Get a backtrace for a failure. * * @return allocated backtrace of test failure, if any @@ -247,6 +258,18 @@ void test_fail_vmsg(const char *file, int line, char *fmt, va_list args); void test_fail_msg(const char *file, int line, char *fmt, ...); /** + * Issue a warning for a particular test with a message using printf style + * arguments. This does not fail the test, and only the last warning for each + * test is kept. + * + * @param file source code file name + * @param line source code line number + * @param fmt printf format string + * @param ... arguments for fmt + */ +void test_warn_msg(const char *file, int line, char *fmt, ...); + +/** * Let a test fail if one of the worker threads has failed (only if called from * the main thread). */ @@ -345,6 +368,7 @@ void test_fail_if_worker_failed(); #define ck_assert_msg test_assert_msg #define ck_assert_str_eq test_str_eq #define ck_assert_chunk_eq test_chunk_eq +#define warn(fmt, ...) test_warn_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__) #define fail(fmt, ...) test_fail_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__) #define fail_if(x, fmt, ...) \ ({ \ diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index c19cac25a..525bdeb94 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -51,4 +51,5 @@ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256) TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT) TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://") TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519) +TEST_SUITE(signature_params_suite_create) diff --git a/src/libstrongswan/utils/debug.h b/src/libstrongswan/utils/debug.h index f1c8c70ab..3b554487c 100644 --- a/src/libstrongswan/utils/debug.h +++ b/src/libstrongswan/utils/debug.h @@ -24,9 +24,9 @@ typedef enum debug_t debug_t; typedef enum level_t level_t; -#include <stdio.h> - +#include <utils/printf_hook/printf_hook.h> #include <utils/utils.h> +#include <stdio.h> /** * Debug message group. diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1a4769063..56298a60f 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -72,10 +72,13 @@ static const x501rdn_t x501rdns[] = { {"C", OID_COUNTRY, ASN1_PRINTABLESTRING}, {"L", OID_LOCALITY, ASN1_PRINTABLESTRING}, {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING}, + {"STREET", OID_STREET_ADDRESS, ASN1_PRINTABLESTRING}, {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING}, {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING}, {"T", OID_TITLE, ASN1_PRINTABLESTRING}, {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING}, + {"postalAddress", OID_POSTAL_ADDRESS, ASN1_PRINTABLESTRING}, + {"postalCode", OID_POSTAL_CODE, ASN1_PRINTABLESTRING}, {"N", OID_NAME, ASN1_PRINTABLESTRING}, {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING}, {"I", OID_INITIALS, ASN1_PRINTABLESTRING}, diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index 33b8d1956..ec994bfc5 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -25,6 +25,7 @@ #define _GNU_SOURCE #include <sys/types.h> #include <stdlib.h> +#include <stdint.h> #include <stddef.h> #include <sys/time.h> #include <string.h> diff --git a/src/libstrongswan/utils/utils/time.c b/src/libstrongswan/utils/utils/time.c index 48e5151c0..d96c918da 100644 --- a/src/libstrongswan/utils/utils/time.c +++ b/src/libstrongswan/utils/utils/time.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -23,7 +23,9 @@ #include <utils/utils.h> #include <inttypes.h> +#include <ctype.h> #include <time.h> +#include <errno.h> /** * Return monotonic time @@ -77,8 +79,62 @@ time_t time_monotonic(timeval_t *tv) #endif /* !WIN32 */ } -/** - * Described in header. +/* + * Described in header + */ +bool timespan_from_string(char *str, char *defunit, time_t *val) +{ + char *endptr, unit; + time_t timeval; + + if (str) + { + errno = 0; + timeval = strtoull(str, &endptr, 10); + if (endptr == str) + { + return FALSE; + } + if (errno == 0) + { + while (isspace(*endptr)) + { + endptr++; + } + unit = *endptr; + if (!unit && defunit) + { + unit = *defunit; + } + switch (unit) + { + case 'd': /* time in days */ + timeval *= 24 * 3600; + break; + case 'h': /* time in hours */ + timeval *= 3600; + break; + case 'm': /* time in minutes */ + timeval *= 60; + break; + case 's': /* time in seconds */ + case '\0': + break; + default: + return FALSE; + } + if (val) + { + *val = timeval; + } + return TRUE; + } + } + return FALSE; +} + +/* + * Described in header */ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) @@ -112,8 +168,8 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900); } -/** - * Described in header. +/* + * Described in header */ int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) diff --git a/src/libstrongswan/utils/utils/time.h b/src/libstrongswan/utils/utils/time.h index 2626d9a33..2e210fbef 100644 --- a/src/libstrongswan/utils/utils/time.h +++ b/src/libstrongswan/utils/utils/time.h @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -71,6 +71,18 @@ static inline void timeval_add_ms(timeval_t *tv, u_int ms) } /** + * Parse the given string as time span and return the number of seconds, + * optionally with a default unit ('s' for seconds, 'm' for minutes, 'h' for + * hours, 'd' for days - default is 's'). + * + * @param str value to parse + * @param defunit optional default unit + * @param[out] val parsed value + * @return TRUE if a value was parsed + */ +bool timespan_from_string(char *str, char *defunit, time_t *val); + +/** * printf hook for time_t. * * Arguments are: diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 292d10f0b..3412ab1cb 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -297,9 +297,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in index 2e2c3debf..c46ca18bd 100644 --- a/src/libtls/tests/Makefile.in +++ b/src/libtls/tests/Makefile.in @@ -241,9 +241,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 05ae62b49..7f7742e88 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1428,7 +1428,7 @@ METHOD(tls_crypto_t, sign, bool, { scheme = hashsig_to_scheme(key->get_type(key), hash, alg); if (scheme != SIGN_UNKNOWN && - key->sign(key, scheme, data, &sig)) + key->sign(key, scheme, NULL, data, &sig)) { done = TRUE; break; @@ -1460,7 +1460,8 @@ METHOD(tls_crypto_t, sign, bool, { return FALSE; } - done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig); + done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash, + &sig); free(hash.ptr); if (!done) { @@ -1469,7 +1470,7 @@ METHOD(tls_crypto_t, sign, bool, DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA"); break; case KEY_ECDSA: - if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig)) + if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig)) { return FALSE; } @@ -1509,7 +1510,7 @@ METHOD(tls_crypto_t, verify, bool, tls_signature_algorithm_names, alg); return FALSE; } - if (!key->verify(key, scheme, data, sig)) + if (!key->verify(key, scheme, NULL, data, sig)) { return FALSE; } @@ -1533,7 +1534,8 @@ METHOD(tls_crypto_t, verify, bool, { return FALSE; } - done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig); + done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash, + sig); free(hash.ptr); if (!done) { @@ -1542,7 +1544,8 @@ METHOD(tls_crypto_t, verify, bool, DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA"); break; case KEY_ECDSA: - if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig)) + if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, + sig)) { return FALSE; } diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c index 918de1e50..f88dbc2b7 100644 --- a/src/libtls/tls_prf.c +++ b/src/libtls/tls_prf.c @@ -17,6 +17,8 @@ typedef struct private_tls_prf12_t private_tls_prf12_t; +#include <library.h> + /** * Private data of an tls_prf_t object. */ diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in index 9a7639e06..97995800b 100644 --- a/src/libtnccs/Makefile.in +++ b/src/libtnccs/Makefile.in @@ -301,9 +301,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in index 5824c4597..7143a1ce2 100644 --- a/src/libtnccs/plugins/tnc_imc/Makefile.in +++ b/src/libtnccs/plugins/tnc_imc/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index 822df3f27..e88ac42b6 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -354,7 +354,7 @@ imc_t* tnc_imc_create(char *name, char *path) this = tnc_imc_create_empty(name); if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in index 4de4bccb3..a142a7eff 100644 --- a/src/libtnccs/plugins/tnc_imv/Makefile.in +++ b/src/libtnccs/plugins/tnc_imv/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c index 9a0304172..e6c53b74f 100644 --- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -350,7 +350,7 @@ imv_t* tnc_imv_create(char *name, char *path) this = tnc_imv_create_empty(name); if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in index a8607d3b4..72a195eca 100644 --- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in +++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in index eac0e1f63..7e15cb2ff 100644 --- a/src/libtnccs/plugins/tnccs_11/Makefile.in +++ b/src/libtnccs/plugins/tnccs_11/Makefile.in @@ -259,9 +259,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in index 0d1e73aa4..d7d445fd1 100644 --- a/src/libtnccs/plugins/tnccs_20/Makefile.in +++ b/src/libtnccs/plugins/tnccs_20/Makefile.in @@ -262,9 +262,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in index ebe42fe5d..79db1e9b4 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in +++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in index 1fc797c7f..bd1da8e18 100644 --- a/src/libtncif/Makefile.in +++ b/src/libtncif/Makefile.in @@ -211,9 +211,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c index 2789e7d3e..9c58944bb 100644 --- a/src/libtncif/tncif_pa_subtypes.c +++ b/src/libtncif/tncif_pa_subtypes.c @@ -16,7 +16,7 @@ #include "tncif_pa_subtypes.h" /* IETF PA Subtype names */ -ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SW, +ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SWIMA, "Testing", "Operating System", "Anti-Virus", @@ -26,10 +26,10 @@ ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SW, "IDPS", "VPN", "NEA Client", - "Software" + "SWIMA" ); ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY, - PA_SUBTYPE_IETF_SW, + PA_SUBTYPE_IETF_SWIMA, "ANY" ); ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY); diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h index 696441029..0eef4ad17 100644 --- a/src/libtncif/tncif_pa_subtypes.h +++ b/src/libtncif/tncif_pa_subtypes.h @@ -43,7 +43,7 @@ typedef enum pa_subtype_ita_t pa_subtype_ita_t; PA_SUBTYPE_IETF_IDPS = 0x06, PA_SUBTYPE_IETF_VPN = 0x07, PA_SUBTYPE_IETF_NEA_CLIENT = 0x08, - PA_SUBTYPE_IETF_SW = 0x09, + PA_SUBTYPE_IETF_SWIMA = 0x09, PA_SUBTYPE_IETF_ANY = 0xff }; diff --git a/src/libtpmtss/Makefile.in b/src/libtpmtss/Makefile.in index 90d5e54f5..50861bcdd 100644 --- a/src/libtpmtss/Makefile.in +++ b/src/libtpmtss/Makefile.in @@ -289,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtpmtss/plugins/tpm/Makefile.in b/src/libtpmtss/plugins/tpm/Makefile.in index f80c0f736..a12c18a35 100644 --- a/src/libtpmtss/plugins/tpm/Makefile.in +++ b/src/libtpmtss/plugins/tpm/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c index bd5a8baeb..0df5ee94c 100644 --- a/src/libtpmtss/plugins/tpm/tpm_private_key.c +++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c @@ -76,7 +76,7 @@ METHOD(private_key_t, get_keysize, int, } METHOD(private_key_t, sign, bool, - private_tpm_private_key_t *this, signature_scheme_t scheme, + private_tpm_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { chunk_t pin = chunk_empty; @@ -191,7 +191,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args) if (!tpm) { DBG1(DBG_LIB, "no TPM 2.0 found"); - return NULL; + return NULL; } INIT(this, diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c index dcba05c43..4c0d95fe5 100644 --- a/src/libtpmtss/tpm_tss_tss2.c +++ b/src/libtpmtss/tpm_tss_tss2.c @@ -742,7 +742,7 @@ METHOD(tpm_tss_t, sign, bool, *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; key_type = key_type_from_signature_scheme(scheme); - hash_alg = hasher_from_signature_scheme(scheme); + hash_alg = hasher_from_signature_scheme(scheme, NULL); /* Check if hash algorithm is supported by TPM */ alg_id = hash_alg_to_tpm_alg_id(hash_alg); diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 0c128c1a8..c8450d27f 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -263,9 +263,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/manager/templates/static/jquery.js b/src/manager/templates/static/jquery.js index 7cb68d02f..f0e43fa93 100644 --- a/src/manager/templates/static/jquery.js +++ b/src/manager/templates/static/jquery.js @@ -311,7 +311,7 @@ jQuery.fn = jQuery.prototype = { for ( var i = one ? index : 0, max = one ? index + 1 : options.length; i < max; i++ ) { var option = options[i]; if ( option.selected ) { - // Get the specifc value for the option + // Get the specific value for the option var val = jQuery.browser.msie && !option.attributes["value"].specified ? option.text : option.value; // We don't need an array for one selects diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 6ebe48691..02b5607b1 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -252,9 +252,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 58de24aca..8b369b38d 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -265,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/command.c b/src/pki/command.c index ce704dbb8..f425af7e8 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -191,7 +191,7 @@ void command_register(command_t command) int command_usage(char *error) { FILE *out = stdout; - int i; + int i, indent = 0; if (error) { @@ -221,12 +221,12 @@ int command_usage(char *error) { if (i == 0) { - fprintf(out, " pki --%s %s\n", - cmds[active].cmd, cmds[active].line[i]); + indent = fprintf(out, " pki --%s ", cmds[active].cmd); + fprintf(out, "%s\n", cmds[active].line[i]); } else { - fprintf(out, " %s\n", cmds[active].line[i]); + fprintf(out, "%*s%s\n", indent, "", cmds[active].line[i]); } } for (i = 0; cmds[active].options[i].name; i++) diff --git a/src/pki/command.h b/src/pki/command.h index 449252eb8..a7dade758 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -34,7 +34,7 @@ /** * Maximum number of usage summary lines (+1) */ -#define MAX_LINES 11 +#define MAX_LINES 12 typedef struct command_t command_t; typedef struct command_option_t command_option_t; diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 9e6e80938..d1ea5c65e 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -33,6 +33,7 @@ static int acert() { cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *ac = NULL, *cert = NULL, *issuer =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -44,6 +45,8 @@ static int acert() char *datenb = NULL, *datena = NULL, *dateform = NULL; rng_t *rng; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); groups = linked_list_create(); @@ -60,6 +63,17 @@ static int acert() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -162,10 +176,6 @@ static int acert() error = "loading issuer private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "issuer private key does not match issuer certificate"; @@ -217,6 +227,7 @@ static int acert() error = "parsing user certificate failed"; goto end; } + scheme = get_signature_scheme(private, digest, pss); ac = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, @@ -227,6 +238,7 @@ static int acert() BUILD_AC_GROUP_STRINGS, groups, BUILD_SIGNING_CERT, issuer, BUILD_SIGNING_KEY, private, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!ac) { @@ -252,6 +264,7 @@ end: DESTROY_IF(public); DESTROY_IF(private); groups->destroy(groups); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -279,6 +292,7 @@ static void __attribute__ ((constructor))reg() " --issuercert file [--serial hex] [--lifetime hours]", " [--not-before datetime] [--not-after datetime] [--dateform form]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -293,6 +307,7 @@ static void __attribute__ ((constructor))reg() {"not-after", 'T', 1, "date/time the validity of the AC ends"}, {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index 6f14b5276..203c76542 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -166,7 +166,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { gen, 'g', "gen", "generate a new private key", - {" [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]", + {"[--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]", "[--shares n] [--threshold l] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index e41c56d08..1ccbca89f 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -61,6 +61,7 @@ static int issue() { cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -84,6 +85,8 @@ static int issue() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); cdps = linked_list_create(); @@ -143,6 +146,17 @@ static int issue() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -396,10 +410,6 @@ static int issue() error = "loading CA private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -525,11 +535,12 @@ static int issue() id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk_from_chars(ASN1_SEQUENCE, 0)); } + scheme = get_signature_scheme(private, digest, pss); cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, - BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest, + BUILD_NOT_BEFORE_TIME, not_before, BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks, @@ -542,6 +553,7 @@ static int issue() BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!cert) { @@ -575,6 +587,7 @@ end: mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -614,6 +627,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -646,6 +660,7 @@ static void __attribute__ ((constructor))reg() {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 7b87e6ca6..cfddbc455 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -30,6 +30,7 @@ static int req() cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert = NULL; private_key_t *private = NULL; char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL; @@ -38,6 +39,8 @@ static int req() chunk_t encoding = chunk_empty; chunk_t challenge_password = chunk_empty; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); @@ -77,6 +80,17 @@ static int req() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -153,16 +167,14 @@ static int req() error = "parsing private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } + scheme = get_signature_scheme(private, digest, pss); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, BUILD_SUBJECT, id, BUILD_SUBJECT_ALTNAMES, san, BUILD_CHALLENGE_PWD, challenge_password, - BUILD_DIGEST_ALG, digest, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!cert) { @@ -186,6 +198,7 @@ end: DESTROY_IF(cert); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); + signature_params_destroy(scheme); free(encoding.ptr); if (error) @@ -208,20 +221,22 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "private key input file, default: stdin"}, - {"keyid", 'x', 1, "smartcard or TPM private key object handle"}, - {"type", 't', 1, "type of input key, default: priv"}, - {"dn", 'd', 1, "subject distinguished name"}, - {"san", 'a', 1, "subjectAltName to include in cert request"}, - {"password",'p', 1, "challengePassword to include in cert request"}, - {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"outform", 'f', 1, "encoding of generated request, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "smartcard or TPM private key object handle"}, + {"type", 't', 1, "type of input key, default: priv"}, + {"dn", 'd', 1, "subject distinguished name"}, + {"san", 'a', 1, "subjectAltName to include in cert request"}, + {"password", 'p', 1, "challengePassword to include in cert request"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index bdb22463e..6f7adef0f 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -52,6 +52,7 @@ static int self() cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert = NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -70,6 +71,8 @@ static int self() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); ocsp = linked_list_create(); @@ -119,6 +122,17 @@ static int self() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -335,10 +349,6 @@ static int self() error = "loading private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } public = private->get_public_key(private); if (!public) { @@ -367,11 +377,13 @@ static int self() serial.ptr[0] &= 0x7F; rng->destroy(rng); } + scheme = get_signature_scheme(private, digest, pss); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before, BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, - BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san, BUILD_ADDRBLOCKS, addrblocks, BUILD_OCSP_ACCESS_LOCATIONS, ocsp, @@ -412,6 +424,7 @@ end: policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -441,7 +454,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -450,6 +463,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -478,6 +492,7 @@ static void __attribute__ ((constructor))reg() {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 25a3aac52..50f939687 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -109,15 +109,6 @@ static int read_serial(char *file, char *buf, int buflen) } /** - * Destroy a CDP - */ -static void cdp_destroy(x509_cdp_t *this) -{ - free(this->uri); - free(this); -} - -/** * Sign a CRL */ static int sign_crl() @@ -129,6 +120,7 @@ static int sign_crl() crl_t *lastcrl = NULL; x509_t *x509; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; char *basecrl = NULL; char serial[512], *keyid = NULL; @@ -142,6 +134,8 @@ static int sign_crl() x509_cdp_t *cdp; chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty; chunk_t encoding = chunk_empty; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); list = linked_list_create(); cdps = linked_list_create(); @@ -159,6 +153,17 @@ static int sign_crl() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'c': cacert = arg; continue; @@ -341,10 +346,6 @@ static int sign_crl() error = "loading CA private key failed"; goto error; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -399,6 +400,7 @@ static int sign_crl() /* increment the serial number by one */ chunk_increment(crl_serial); + scheme = get_signature_scheme(private, digest, pss); enumerator = enumerator_create_filter(list->create_enumerator(list), filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -406,7 +408,7 @@ static int sign_crl() BUILD_SERIAL, crl_serial, BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, BUILD_REVOKED_ENUMERATOR, enumerator, - BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, + BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme, BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber, BUILD_END); enumerator->destroy(enumerator); @@ -436,10 +438,11 @@ error: DESTROY_IF(private); DESTROY_IF(ca); DESTROY_IF(crl); + signature_params_destroy(scheme); free(encoding.ptr); free(baseCrlNumber.ptr); list->destroy_function(list, (void*)revoked_destroy); - cdps->destroy_function(cdps, (void*)cdp_destroy); + cdps->destroy_function(cdps, (void*)x509_cdp_destroy); if (error) { fprintf(stderr, "%s\n", error); @@ -449,7 +452,7 @@ error: usage: list->destroy_function(list, (void*)revoked_destroy); - cdps->destroy_function(cdps, (void*)cdp_destroy); + cdps->destroy_function(cdps, (void*)x509_cdp_destroy); return command_usage(error); } @@ -462,12 +465,13 @@ static void __attribute__ ((constructor))reg() sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", {"--cacert file --cakey file|--cakeyid hex [--lifetime days]", - " [--lastcrl crl] [--basecrl crl] [--crluri uri]+", - " [[--reason key-compromise|ca-compromise|affiliation-changed|", - " superseded|cessation-of-operation|certificate-hold]", - " [--date timestamp] --cert file|--serial hex]*", - " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - " [--outform der|pem]"}, + "[--lastcrl crl] [--basecrl crl] [--crluri uri]+", + "[[--reason key-compromise|ca-compromise|affiliation-changed|", + " superseded|cessation-of-operation|certificate-hold]", + " [--date timestamp] --cert file|--serial hex]*", + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, @@ -485,6 +489,7 @@ static void __attribute__ ((constructor))reg() {"reason", 'r', 1, "reason for certificate revocation"}, {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index bf8092bd4..533dfcab1 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -202,9 +202,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in index c6ecbb989..6c574f273 100644 --- a/src/pki/man/pki---acert.1.in +++ b/src/pki/man/pki---acert.1.in @@ -16,6 +16,7 @@ pki \-\-acert \- Issue an attribute certificate .OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-outform encoding .OP \-\-debug level .YS @@ -103,6 +104,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 99cc64fa5..8aec65306 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -19,6 +19,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-ca .OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR] .OP \-\-ocsp uri @@ -129,6 +130,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index 09ef0862a..8f7de248c 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -15,6 +15,7 @@ pki \-\-req \- Create a PKCS#10 certificate request .OP \-\-san subjectAltName .OP \-\-password password .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-outform encoding .OP \-\-debug level .YS @@ -72,6 +73,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index aa7e6fabe..5f7e42108 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -19,6 +19,7 @@ pki \-\-self \- Create a self-signed certificate .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-ca .OP \-\-ocsp uri .OP \-\-pathlen len @@ -115,6 +116,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index b901ad084..0abd166a9 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -16,6 +16,7 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific .OP \-\-basecrl crl .OP \-\-crluri uri .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR .OP \-\-outform encoding .OP \-\-debug level @@ -102,6 +103,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/pki.c b/src/pki/pki.c index 0fdab2aab..ec60f7d42 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2012-2014 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -237,20 +237,20 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc) #endif } -/* - * Described in header +/** + * Determine a default hash algorithm for the given key */ -hash_algorithm_t get_default_digest(private_key_t *private) +static hash_algorithm_t get_default_digest(private_key_t *private) { enumerator_t *enumerator; - signature_scheme_t scheme; + signature_params_t *params; hash_algorithm_t alg = HASH_UNKNOWN; enumerator = signature_schemes_for_key(private->get_type(private), private->get_keysize(private)); - if (enumerator->enumerate(enumerator, &scheme)) + if (enumerator->enumerate(enumerator, ¶ms)) { - alg = hasher_from_signature_scheme(scheme); + alg = hasher_from_signature_scheme(params->scheme, params->params); } enumerator->destroy(enumerator); @@ -261,6 +261,42 @@ hash_algorithm_t get_default_digest(private_key_t *private) /* * Described in header */ +signature_params_t *get_signature_scheme(private_key_t *private, + hash_algorithm_t digest, bool pss) +{ + signature_params_t *scheme; + + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } + if (private->get_type(private) == KEY_RSA && pss) + { + rsa_pss_params_t pss_params = { + .hash = digest, + .mgf1_hash = digest, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, + }; + signature_params_t pss_scheme = { + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss_params, + }; + scheme = signature_params_clone(&pss_scheme); + } + else + { + INIT(scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + private->get_type(private))), + ); + } + return scheme; +} + +/* + * Described in header + */ traffic_selector_t* parse_ts(char *str) { ts_type_t type = TS_IPV4_ADDR_RANGE; diff --git a/src/pki/pki.h b/src/pki/pki.h index 54be59f8f..3f0793cfd 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -57,12 +58,17 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span, void set_file_mode(FILE *stream, cred_encoding_type_t enc); /** - * Select default digest for signatures with the given key + * Determine the signature scheme and parameters for the given private key and + * hash algorithm and whether to use PSS padding for RSA. * * @param private private key - * @return hash algorithm + * @param digest hash algorithm (if HASH_UNKNOWN a default is determined + * based on the key) + * @param pss use PSS padding for RSA keys + * @return allocated signature scheme and parameters */ -hash_algorithm_t get_default_digest(private_key_t *private); +signature_params_t *get_signature_scheme(private_key_t *private, + hash_algorithm_t digest, bool pss); /** * Create a traffic selector from a CIDR or range string. diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in index 1da001d09..e6815434f 100644 --- a/src/pool/Makefile.in +++ b/src/pool/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pool/pool.c b/src/pool/pool.c index cd9fb6293..b755365ec 100644 --- a/src/pool/pool.c +++ b/src/pool/pool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2016 Tobias Brunner + * Copyright (C) 2011-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -56,28 +56,30 @@ static void do_args(int argc, char *argv[]); /** * Create or replace a pool by name */ -static u_int create_pool(char *name, chunk_t start, chunk_t end, int timeout) +static u_int create_pool(char *name, chunk_t start, chunk_t end, u_int timeout) { enumerator_t *e; int pool; + bool exists; e = db->query(db, "SELECT id FROM pools WHERE name = ?", DB_TEXT, name, DB_UINT); - if (e && e->enumerate(e, &pool)) + exists = e && e->enumerate(e, &pool); + DESTROY_IF(e); + + if (exists) { - if (replace_pool == FALSE) + if (!replace_pool) { fprintf(stderr, "pool '%s' exists.\n", name); - e->destroy(e); exit(EXIT_FAILURE); } del(name); } - DESTROY_IF(e); if (db->execute(db, &pool, "INSERT INTO pools (name, start, end, timeout) VALUES (?, ?, ?, ?)", DB_TEXT, name, DB_BLOB, start, DB_BLOB, end, - DB_INT, timeout*3600) != 1) + DB_UINT, timeout) != 1) { fprintf(stderr, "creating pool failed.\n"); exit(EXIT_FAILURE); @@ -258,7 +260,18 @@ static void status(void) } if (timeout) { - printf("%7dh ", timeout/3600); + if (timeout >= 60 * 300) + { + printf("%7dh ", timeout/3600); + } + else if (timeout >= 300) + { + printf("%7dm ", timeout/60); + } + else + { + printf("%7ds ", timeout); + } } else { @@ -318,7 +331,7 @@ next_pool: /** * ipsec pool --add - add a new pool */ -static void add(char *name, host_t *start, host_t *end, int timeout) +static void add(char *name, host_t *start, host_t *end, u_int timeout) { chunk_t start_addr, end_addr, cur_addr; u_int id, count; @@ -407,7 +420,7 @@ static bool add_address(u_int pool_id, char *address_str, int *family) return TRUE; } -static void add_addresses(char *pool, char *path, int timeout) +static void add_addresses(char *pool, char *path, u_int timeout) { u_int pool_id, count = 0; int family = AF_UNSPEC; @@ -941,7 +954,7 @@ static void do_args(int argc, char *argv[]) char *name = "", *value = "", *filter = ""; char *pool = NULL, *identity = NULL, *addresses = NULL; value_type_t value_type = VALUE_NONE; - int timeout = 0; + time_t timeout = 0; bool utc = FALSE, hexout = FALSE; enum { @@ -1088,8 +1101,7 @@ static void do_args(int argc, char *argv[]) } continue; case 't': - timeout = atoi(optarg); - if (timeout == 0 && strcmp(optarg, "0") != 0) + if (!timespan_from_string(optarg, "h", &timeout)) { fprintf(stderr, "invalid timeout '%s'.\n", optarg); usage(); diff --git a/src/pool/pool_usage.c b/src/pool/pool_usage.c index 7622cfa86..94cc041b5 100644 --- a/src/pool/pool_usage.c +++ b/src/pool/pool_usage.c @@ -44,7 +44,9 @@ Usage:\n\ name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ start: Start address of the pool\n\ end: End address of the pool\n\ - timeout: Lease time in hours, 0 for static leases\n\ + timeout: Lease time in hours (use 'd', 'm', or 's' to alternatively\n\ + configure the time in days, minutes or seconds, respectively),\n\ + 0 for static leases\n\ \n\ ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\ ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\ @@ -57,7 +59,9 @@ Usage:\n\ are read from STDIN. Reading addresses stops at the end of file\n\ or an empty line. Pools created with this command can not be\n\ resized.\n\ - timeout: Lease time in hours, 0 for static leases\n\ + timeout: Lease time in hours (use 'd', 'm', or 's' to alternatively\n\ + configure the time in days, minutes or seconds, respectively),\n\ + 0 for static leases\n\ \n\ ipsec pool --addattr <type> [--pool <name> [--identity <id>]]\n\ --addr|--mask|--server|--subnet|--string|--hex <value>\n\ diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in index 820bec9f3..1bab5804f 100644 --- a/src/pt-tls-client/Makefile.in +++ b/src/pt-tls-client/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in index d7c9dffe5..795054c80 100644 --- a/src/pt-tls-client/pt-tls-client.1.in +++ b/src/pt-tls-client/pt-tls-client.1.in @@ -20,7 +20,7 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information .OP \-\-client client-id .OP \-\-secret password .OP \-\-mutual -.OP \-\-optionsfrom filename +.OP \-\-options filename .OP \-\-quiet .OP \-\-debug level .YS @@ -92,7 +92,7 @@ Set debug level, default: 1. .B "\-q, \-\-quiet Disable debug output to stderr. .TP -.BI "\-+, \-\-optionsfrom " file +.BI "\-+, \-\-options " file Read command line options from \fIfile\fR. . .SH "EXAMPLES" diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index d7e78c497..841724eb3 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -45,7 +45,7 @@ static void usage(FILE *out) " [--cert <file>]+ [--keyid <hex>|--key <file>]\n" " [--key-type rsa|ecdsa] [--client <client-id>]\n" " [--secret <password>] [--mutual] [--quiet]\n" - " [--debug <level>] [--optionsfrom <filename>]\n"); + " [--debug <level>] [--options <filename>]\n"); } /** @@ -289,6 +289,7 @@ int main(int argc, char *argv[]) {"mutual", no_argument, NULL, 'm' }, {"quiet", no_argument, NULL, 'q' }, {"debug", required_argument, NULL, 'd' }, + {"options", required_argument, NULL, '+' }, {"optionsfrom", required_argument, NULL, '+' }, {0,0,0,0 } }; diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 85522ad7b..1d5e53241 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/sec-updater/Makefile.am b/src/sec-updater/Makefile.am new file mode 100644 index 000000000..5546cb8f8 --- /dev/null +++ b/src/sec-updater/Makefile.am @@ -0,0 +1,18 @@ +if !USE_WINDOWS + +sbin_PROGRAMS = sec-updater + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -DPLUGINS=\""sqlite"\" + +sec_updater_SOURCES = sec-updater.c +sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +sec-updater.o : $(top_builddir)/config.status + +EXTRA_DIST = sec-updater.sh + +man8_MANS = sec-updater.8 +CLEANFILES = $(man8_MANS) + +endif diff --git a/src/sec-updater/Makefile.in b/src/sec-updater/Makefile.in new file mode 100644 index 000000000..a434b9d34 --- /dev/null +++ b/src/sec-updater/Makefile.in @@ -0,0 +1,845 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@USE_WINDOWS_FALSE@sbin_PROGRAMS = sec-updater$(EXEEXT) +subdir = src/sec-updater +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = sec-updater.8 +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) +am__sec_updater_SOURCES_DIST = sec-updater.c +@USE_WINDOWS_FALSE@am_sec_updater_OBJECTS = sec-updater.$(OBJEXT) +sec_updater_OBJECTS = $(am_sec_updater_OBJECTS) +@USE_WINDOWS_FALSE@sec_updater_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(sec_updater_SOURCES) +DIST_SOURCES = $(am__sec_updater_SOURCES_DIST) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man8_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/sec-updater.8.in \ + $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +@USE_WINDOWS_FALSE@AM_CPPFLAGS = \ +@USE_WINDOWS_FALSE@ -I$(top_srcdir)/src/libstrongswan \ +@USE_WINDOWS_FALSE@ -DPLUGINS=\""sqlite"\" + +@USE_WINDOWS_FALSE@sec_updater_SOURCES = sec-updater.c +@USE_WINDOWS_FALSE@sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +@USE_WINDOWS_FALSE@EXTRA_DIST = sec-updater.sh +@USE_WINDOWS_FALSE@man8_MANS = sec-updater.8 +@USE_WINDOWS_FALSE@CLEANFILES = $(man8_MANS) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/sec-updater/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/sec-updater/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +sec-updater.8: $(top_builddir)/config.status $(srcdir)/sec-updater.8.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +sec-updater$(EXEEXT): $(sec_updater_OBJECTS) $(sec_updater_DEPENDENCIES) $(EXTRA_sec_updater_DEPENDENCIES) + @rm -f sec-updater$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sec_updater_OBJECTS) $(sec_updater_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sec-updater.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) + @$(NORMAL_INSTALL) + @list1='$(man8_MANS)'; \ + list2=''; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS)'; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-man uninstall-man8 uninstall-sbinPROGRAMS + +.PRECIOUS: Makefile + +@USE_WINDOWS_FALSE@sec-updater.o : $(top_builddir)/config.status + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/sec-updater/sec-updater.8.in b/src/sec-updater/sec-updater.8.in new file mode 100644 index 000000000..f17198f56 --- /dev/null +++ b/src/sec-updater/sec-updater.8.in @@ -0,0 +1,84 @@ +.TH SEC-UPDATER 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +sec-updater \- Extracts security update information of Linux distributions +. +.SH "SYNOPSIS" +. +.SY "sec-updater" +.OP \-\-debug level +.OP \-\-quiet +.OP \-\-security +.BI \-\-os " string" +.BI \-\-arch " string" +.BI \-\-uri " uri" +.BI \-\-file " filename" +.YS +. +.SY "sec-updater" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +.B sec-updater +extracts information about security updates and backports of Linux repositories +(e.g. Debian or Ubuntu). This information is used to update the package version +information stored in the strongTNC SQLite database. The "dbkg --compare-versions" +command is used to determine which package versions are affected by a given +security update. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Prints usage information and a short summary of the available commands. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.B "\-q, \-\-quiet" +Disable debug output to stderr. +.TP +.B "\-s, \-\-security" +Set when parsing a distributions file with security updates. +.TP +.BI "\-o, \-\-os " string +Name of operating system (OS). eg. "Ubuntu 16.04". +.TP +.BI "\-o, \-\-arch " string +Name of HW architecture. eg. "x86_64". +.TP +.BI "\-o, \-\-uri " uri +URI where to download deb package from. +.TP +.BI "\-f, \-\-file " filename +Linux package information file to parse. +. +.SH "CONFIGURATION" +. +The following parameters can be configured in strongswan.conf: +.P + sec-updater { + database = sqlite:///etc/pts/config.db + swid_gen { + command = /usr/local/bin/swid_generator + tag_creator { + name = strongSwan Project + regid = strongswan.org + } + } + tnc_manage_command = /var/www/tnc/manage.py + tmp { + deb_file = /tmp/sec-updater.deb + tag_file = /tmp/sec-updater.tag + } + } +. +.SH "SEE ALSO" +. +.BR strongswan.conf (5) + diff --git a/src/sec-updater/sec-updater.c b/src/sec-updater/sec-updater.c new file mode 100644 index 000000000..e1d2baea2 --- /dev/null +++ b/src/sec-updater/sec-updater.c @@ -0,0 +1,565 @@ +/* + * Copyright (C) 2012-2017 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <getopt.h> +#include <unistd.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <syslog.h> +#include <time.h> +#include <sys/stat.h> +#include <stdlib.h> + +#include <library.h> +#include <utils/debug.h> + +#define EXIT_NO_UPDATES 80 +#define TMP_DEB_FILE "/tmp/sec-updater.deb" +#define TMP_TAG_FILE "/tmp/sec-updater.tag" +#define SWID_GEN_CMD "/usr/local/bin/swid_generator" +#define TNC_MANAGE_CMD "/var/www/tnc/manage.py" + +typedef enum sec_update_state_t sec_update_state_t; + +enum sec_update_state_t { + SEC_UPDATE_STATE_BEGIN_PACKAGE, + SEC_UPDATE_STATE_VERSION, + SEC_UPDATE_STATE_FILENAME, + SEC_UPDATE_STATE_END_PACKAGE +}; + +typedef struct stats_t stats_t; + +struct stats_t { + time_t release; + int product; + int packages; + int new_versions; + int updated_versions; +}; + +/** + * global debug output variables + */ +static int debug_level = 1; +static bool stderr_quiet = FALSE; + +/** + * sec_updater dbg function + */ +static void sec_updater_dbg(debug_t group, level_t level, char *fmt, ...) +{ + int priority = LOG_INFO; + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (level <= debug_level) + { + if (!stderr_quiet) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + va_end(args); + } + + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(priority, "%s\n", current); + current = next; + } + } +} + +/** + * atexit handler to close everything on shutdown + */ +static void cleanup(void) +{ + closelog(); + library_deinit(); +} + +static void usage(void) +{ + printf("\ +Usage:\n\ + sec-updater --help\n\ + sec-updater [--debug <level>] [--quiet] [--security] --os <string>\n\ + --arch <string> --uri <uri> --file <filename>\n\n\ + Options:\n\ + --help print usage information\n\ + --debug <level> set debug level\n\ + --quiet suppress debug output to stderr\n\ + --os <string> operating system\n\ + --arch <string> hw architecture\n\ + --security set when parsing a file with security updates\n\ + --file <filename> package information file to parse\n\ + --uri <uri> uri where to download deb package from\n"); + } + +/** + * Update the package database + */ +static bool update_database(database_t *db, char *package, char *version, + bool security, stats_t *stats, bool *new) +{ + int pid = 0, vid = 0, sec_flag; + bool first = TRUE, found = FALSE; + char *release; + enumerator_t *e; + + /* increment package count */ + stats->packages++; + + /* set new output variable */ + *new = FALSE; + + /* check if package is already in database */ + e = db->query(db, "SELECT id FROM packages WHERE name = ?", + DB_TEXT, package, DB_INT); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, &pid)) + { + pid = 0; + } + e->destroy(e); + + if (!pid) + { + return TRUE; + } + + /* retrieve all package versions stored in database */ + e = db->query(db, + "SELECT id, release, security FROM versions " + "WHERE product = ? AND package = ?", + DB_INT, stats->product, DB_INT, pid, DB_INT, DB_TEXT, DB_INT); + if (!e) + { + return FALSE; + } + + while (e->enumerate(e, &vid, &release, &sec_flag)) + { + char command[BUF_LEN]; + char found_char = ' '; + bool update_version = FALSE; + + if (streq(version, release)) + { + found = TRUE; + found_char = '*'; + } + else if (security) + { + snprintf(command, BUF_LEN, "dpkg --compare-versions %s lt %s", + release, version); + if (system(command) == 0) + { + found_char = '!'; + if (!sec_flag) + { + if (db->execute(db, NULL, "UPDATE versions " + "SET security = 1 WHERE id = ?", DB_INT, vid) != 1) + { + DBG1(DBG_IMV, " could not update version"); + e->destroy(e); + return FALSE; + } + update_version = TRUE; + stats->updated_versions++; + } + } + } + if (debug_level < 2 && !update_version) + { + continue; + } + if (first) + { + DBG1(DBG_IMV, "%s", package); + first = FALSE; + } + DBG1(DBG_IMV, " %c%s %s", found_char , sec_flag ? "s" : " ", release); + } + e->destroy(e); + + if (!found) + { + if (first) + { + DBG1(DBG_IMV, "%s", package); + } + DBG1(DBG_IMV, " + %s", version); + + if (db->execute(db, &vid, + "INSERT INTO versions " + "(package, product, release, security, time) " + "VALUES (?, ?, ?, 0, ?)", DB_INT, pid, DB_INT, stats->product, + DB_TEXT, version, DB_INT, stats->release) != 1) + { + DBG1(DBG_IMV, " could not store version to database"); + return FALSE; + } + stats->new_versions++; + *new = TRUE; + } + + return TRUE; +} + +/** + * Process a package file and store updates in the database + */ +static int process_packages(char *path, char *os, char *arch, char *uri, + bool security) +{ + char line[BUF_LEN], product[BUF_LEN], command[BUF_LEN]; + char *db_uri, *download_uri = NULL, *swid_regid, *swid_entity; + char *pos, *package = NULL, *version = NULL, *filename = NULL; + char *swid_gen_cmd, *tnc_manage_cmd, *tmp_deb_file, *tmp_tag_file; + sec_update_state_t state; + enumerator_t *e; + database_t *db; + int len, pid; + chunk_t deb = chunk_empty; + FILE *file; + stats_t stats; + bool success = TRUE, new; + + /* initialize statistics */ + memset(&stats, 0x00, sizeof(stats_t)); + + /* Set release date to current time */ + stats.release = time(NULL); + + /* opening package file */ + file = fopen(path, "r"); + if (!file) + { + DBG1(DBG_IMV, " could not open \"%s\"", path); + exit(EXIT_FAILURE); + } + + /* connect package database */ + db_uri = lib->settings->get_str(lib->settings, "sec-updater.database", NULL); + if (!db_uri) + { + DBG1(DBG_IMV, "database URI sec-updater.database not set"); + fclose(file); + exit(EXIT_FAILURE); + } + db = lib->db->create(lib->db, db_uri); + if (!db) + { + DBG1(DBG_IMV, "could not connect to database '%s'", db_uri); + fclose(file); + exit(EXIT_FAILURE); + } + + /* form product name by concatenating os and arch strings */ + snprintf(product, BUF_LEN, "%s %s", os, arch); + + /* check if product is already in database */ + e = db->query(db, "SELECT id FROM products WHERE name = ?", + DB_TEXT, product, DB_INT); + if (e) + { + if (e->enumerate(e, &pid)) + { + stats.product = pid; + } + e->destroy(e); + } + if (!stats.product) + { + if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", + DB_TEXT, product) != 1) + { + DBG1(DBG_IMV, "could not store product '%s' to database", + product); + fclose(file); + db->destroy(db); + exit(EXIT_FAILURE); + } + stats.product = pid; + } + + /* get settings for the loop */ + swid_regid = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.tag_creator.regid", + "strongswan.org"); + swid_entity = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.tag_creator.name", + "strongSwan Project"); + swid_gen_cmd = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.command", SWID_GEN_CMD); + tnc_manage_cmd = lib->settings->get_str(lib->settings, + "sec-updater.tnc_manage_command", TNC_MANAGE_CMD); + tmp_deb_file = lib->settings->get_str(lib->settings, + "sec-updater.tmp.deb_file", TMP_DEB_FILE); + tmp_tag_file = lib->settings->get_str(lib->settings, + "sec-updater.tmp.tag_file", TMP_TAG_FILE); + + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; + + while (fgets(line, sizeof(line), file)) + { + /* set read pointer to beginning of line */ + pos = line; + + switch (state) + { + case SEC_UPDATE_STATE_BEGIN_PACKAGE: + pos = strstr(pos, "Package: "); + if (!pos) + { + continue; + } + pos += 9; + package = pos; + pos = strchr(pos, '\n'); + if (pos) + { + package = strndup(package, pos - package); + state = SEC_UPDATE_STATE_VERSION; + } + break; + case SEC_UPDATE_STATE_VERSION: + pos = strstr(pos, "Version: "); + if (!pos) + { + continue; + } + pos += 9; + version = pos; + pos = strchr(pos, '\n'); + if (pos) + { + version = strndup(version, pos - version); + success = update_database(db, package, version, security, + &stats, &new); + state = (success && new) ? SEC_UPDATE_STATE_FILENAME : + SEC_UPDATE_STATE_END_PACKAGE; + } + break; + case SEC_UPDATE_STATE_FILENAME: + pos = strstr(pos, "Filename: "); + if (!pos) + { + continue; + } + state = SEC_UPDATE_STATE_END_PACKAGE; + + pos += 10; + filename = pos; + pos = strchr(pos, '\n'); + if (!pos) + { + break; + } + len = pos - filename; + if (asprintf(&download_uri, "%s/%.*s", uri, len, filename) == -1) + { + break; + } + + /* retrieve deb package file from linux repository */ + if (lib->fetcher->fetch(lib->fetcher, download_uri, + &deb, FETCH_END) != SUCCESS) + { + DBG1(DBG_IMV, " %s failed", download_uri); + break; + } + DBG1(DBG_IMV, " %s (%u bytes)", download_uri, deb.len); + + /* store deb package file to temporary location */ + if (!chunk_write(deb, tmp_deb_file, 0022, TRUE)) + { + DBG1(DBG_IMV, " save to '%s' failed", tmp_deb_file); + break; + } + + /* generate SWID tag for downloaded deb package */ + snprintf(command, BUF_LEN, "%s swid --full --package-file %s " + "--regid %s --entity-name '%s' --os '%s' --arch '%s' " + ">> %s", swid_gen_cmd, tmp_deb_file, swid_regid, + swid_entity, os, arch, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, " tag generation failed"); + break; + } + break; + case SEC_UPDATE_STATE_END_PACKAGE: + if (*pos != '\n') + { + continue; + } + free(package); + free(version); + free(download_uri); + chunk_free(&deb); + package = version = download_uri = NULL; + + if (!success) + { + fclose(file); + db->destroy(db); + exit(EXIT_FAILURE); + } + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; + } + } + + free(package); + free(version); + free(download_uri); + fclose(file); + db->destroy(db); + + /* import swid tags into strongTNC */ + if (stats.new_versions > 0) + { + snprintf(command, BUF_LEN, "%s importswid %s", + tnc_manage_cmd, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, "tag import failed"); + } + snprintf(command, BUF_LEN, "rm %s %s", + tmp_deb_file, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, "removing temporary files failed"); + } + } + + DBG1(DBG_IMV, "processed \"%s\": %d packages, %d new versions, " + "%d updated versions", path, stats.packages, + stats.new_versions, stats.updated_versions); + + return (stats.new_versions + stats.updated_versions) ? + EXIT_SUCCESS : EXIT_NO_UPDATES; +} + +static int do_args(int argc, char *argv[]) +{ + char *filename = NULL, *arch = NULL, *os = NULL, *uri = NULL; + bool security = FALSE; + + /* reinit getopt state */ + optind = 0; + + while (TRUE) + { + int c; + + struct option long_opts[] = { + { "help", no_argument, NULL, 'h' }, + { "arch", required_argument, NULL, 'a' }, + { "debug", required_argument, NULL, 'd' }, + { "file", required_argument, NULL, 'f' }, + { "os", required_argument, NULL, 'o' }, + { "quiet", no_argument, NULL, 'q' }, + { "security", no_argument, NULL, 's' }, + { "uri", required_argument, NULL, 'u' }, + { 0,0,0,0 } + }; + + c = getopt_long(argc, argv, "ha:d:f:o:qsu:", long_opts, NULL); + switch (c) + { + case EOF: + break; + case 'h': + usage(); + exit(EXIT_SUCCESS); + case 'a': + arch = optarg; + continue; + case 'd': + debug_level = atoi(optarg); + continue; + case 'f': + filename = optarg; + continue; + case 'o': + os = optarg; + continue; + case 'q': + stderr_quiet = TRUE; + continue; + case 's': + security = TRUE; + continue; + case 'u': + uri = optarg; + continue; + } + break; + } + + if (filename && os && arch && uri) + { + return process_packages(filename, os, arch, uri, security); + } + else + { + usage(); + exit(EXIT_FAILURE); + } +} + +int main(int argc, char *argv[]) +{ + /* enable attest debugging hook */ + dbg = sec_updater_dbg; + openlog("sec-updater", 0, LOG_DEBUG); + + atexit(cleanup); + + /* initialize library */ + if (!library_init(NULL, "sec-updater")) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (!lib->plugins->load(lib->plugins, + lib->settings->get_str(lib->settings, "sec-updater.load", + "sqlite curl"))) + { + exit(SS_RC_INITIALIZATION_FAILED); + } + exit(do_args(argc, argv)); +} + diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh new file mode 100755 index 000000000..ca7b89841 --- /dev/null +++ b/src/sec-updater/sec-updater.sh @@ -0,0 +1,168 @@ +#!/bin/sh + +DIR="/etc/pts" +DISTS_DIR="$DIR/dists" +DATE=`date +%Y%m%d-%H%M` +UBUNTU="http://security.ubuntu.com/ubuntu" +UBUNTU_VERSIONS="xenial" +UBUNTU_DIRS="main multiverse restricted universe" +UBUNTU_ARCH="binary-amd64" +DEBIAN="http://security.debian.org" +DEBIAN_VERSIONS="jessie wheezy" +DEBIAN_DIRS="main contrib non-free" +DEBIAN_ARCH="binary-amd64 binary-armhf" +RASPIAN="http://archive.raspberrypi.org/debian" +RASPIAN_VERSIONS="jessie wheezy" +RASPIAN_DIRS="main" +RASPIAN_ARCH="binary-armhf" +CMD=/usr/sbin/sec-updater +CMD_LOG="$DIR/logs/$DATE-sec-update.log" +DEL_LOG=1 + +mkdir -p $DIR/dists +cd $DIR/dists + +# Download Ubuntu distribution information + +for v in $UBUNTU_VERSIONS +do + for a in $UBUNTU_ARCH + do + mkdir -p $v-security/$a $v-updates/$a + for d in $UBUNTU_DIRS + do + wget -nv $UBUNTU/dists/$v-security/$d/$a/Packages.xz -O $v-security/$a/Packages-$d.xz + unxz -f $v-security/$a/Packages-$d.xz + wget -nv $UBUNTU/dists/$v-updates/$d/$a/Packages.xz -O $v-updates/$a/Packages-$d.xz + unxz -f $v-updates/$a/Packages-$d.xz + done + done +done + +# Download Debian distribution information + +for v in $DEBIAN_VERSIONS +do + for a in $DEBIAN_ARCH + do + mkdir -p $v-updates/$a + for d in $DEBIAN_DIRS + do + wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 + bunzip2 -f $v-updates/$a/Packages-$d.bz2 + done + done +done + +# Download Raspian distribution information + +for v in $RASPIAN_VERSIONS +do + for a in $RASPIAN_ARCH + do + mkdir -p $v-raspian/$a + for d in $RASPIAN_DIRS + do + wget -nv $RASPIAN/dists/$v/$d/$a/Packages.gz -O $v-raspian/$a/Packages-$d.gz + gunzip -f $v-raspian/$a/Packages-$d.gz + done + done +done + +# Run sec-updater in distribution information + +for f in xenial-security/binary-amd64/* +do + echo "security: $f" + $CMD --os "Ubuntu 16.04" --arch "x86_64" --file $f --security \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in xenial-updates/binary-amd64/* +do + echo "updates: $f" + $CMD --os "Ubuntu 16.04" --arch "x86_64" --file $f \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-updates/binary-amd64/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "x86_64" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-updates/binary-amd64/* +do + echo "security: $f" + $CMD --os "Debian 7.0" --arch "x86_64" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-updates/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "armhf" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-updates/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 7.0" --arch "armhf" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-raspian/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "armv7l" --file $f --security \ + --uri $RASPIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-raspian/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 7.11" --arch "armv7l" --file $f --security \ + --uri $RASPIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +# Delete log file if no security updates were found + +if [ $DEL_LOG -eq 1 ] +then + rm $CMD_LOG + echo "no security updates found" +fi diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index a3c58126e..457c0650e 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -39,15 +39,21 @@ starter_LDADD = \ libstarter.la \ $(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB) -EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk -MAINTAINERCLEANFILES = keywords.c -BUILT_SOURCES = keywords.c parser/parser.h +EXTRA_DIST = keywords.h.in keywords.txt ipsec.conf ipsec.secrets Android.mk +MAINTAINERCLEANFILES = keywords.h keywords.c +BUILT_SOURCES = keywords.h keywords.c parser/parser.h if USE_LOAD_WARNING AM_CPPFLAGS += -DLOAD_WARNING endif -keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h +keywords.h: $(srcdir)/keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +keywords.c: $(srcdir)/keywords.txt keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 2fa22ae97..80fd2c68d 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -289,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -524,9 +526,9 @@ starter_LDADD = \ libstarter.la \ $(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB) -EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk -MAINTAINERCLEANFILES = keywords.c -BUILT_SOURCES = keywords.c parser/parser.h +EXTRA_DIST = keywords.h.in keywords.txt ipsec.conf ipsec.secrets Android.mk +MAINTAINERCLEANFILES = keywords.h keywords.c +BUILT_SOURCES = keywords.h keywords.c parser/parser.h all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -995,7 +997,13 @@ uninstall-am: uninstall-ipsecPROGRAMS .PRECIOUS: Makefile -keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h +keywords.h: $(srcdir)/keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +keywords.c: $(srcdir)/keywords.txt keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/confread.c b/src/starter/confread.c index f98fc8936..f154f8951 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -40,17 +40,9 @@ #define SA_REPLACEMENT_RETRIES_DEFAULT 3 #define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */ -static const char ike_defaults[] = "aes128-sha256-curve25519"; -static const char esp_defaults[] = "aes128-sha256"; - static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables"; /** - * Provided by GPERF - */ -extern kw_entry_t *in_word_set (char *str, unsigned int len); - -/** * Process deprecated keywords */ static bool is_deprecated(kw_token_t token, char *name, char *conn) @@ -95,7 +87,7 @@ static void load_setup(starter_config_t *cfg, conf_parser_t *parser) { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; char *key, *value; DBG2(DBG_APP, "Loading config setup"); @@ -146,7 +138,7 @@ static void load_ca(starter_ca_t *ca, starter_config_t *cfg, { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; kw_token_t token; char *key, *value; @@ -211,7 +203,6 @@ static void conn_defaults(starter_conn_t *conn) conn->mode = MODE_TUNNEL; conn->options = SA_OPTION_MOBIKE; - conn->ike = strdupnull(ike_defaults); /* esp defaults are set after parsing the conn section */ conn->sa_ike_life_seconds = IKE_LIFETIME_DEFAULT; conn->sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT; @@ -559,7 +550,7 @@ static void load_conn(starter_conn_t *conn, starter_config_t *cfg, { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; kw_token_t token; char *key, *value; @@ -627,11 +618,6 @@ static void load_conn(starter_conn_t *conn, starter_config_t *cfg, handle_firewall("left", &conn->left, cfg); handle_firewall("right", &conn->right, cfg); - - if (!conn->esp && !conn->ah) - { - conn->esp = strdupnull(esp_defaults); - } } /* diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 505b66010..0e2d0fb4b 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -47,6 +47,7 @@ error "gperf generated tables don't work with this execution character set. Plea #include <string.h> +#define IN_GPERF_GENERATED_FILE #include "keywords.h" struct kw_entry { diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 0cb46a740..27d16b0b8 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -196,4 +196,8 @@ struct kw_entry_t { kw_token_t token; }; +#ifndef IN_GPERF_GENERATED_FILE +const kw_entry_t *in_word_set(register const char*, register unsigned); +#endif + #endif /* _KEYWORDS_H_ */ diff --git a/src/starter/keywords.h.in b/src/starter/keywords.h.in new file mode 100644 index 000000000..d2b08f2cf --- /dev/null +++ b/src/starter/keywords.h.in @@ -0,0 +1,203 @@ +/* + * Copyright (C) 2005 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _KEYWORDS_H_ +#define _KEYWORDS_H_ + +typedef enum kw_token_t kw_token_t; +typedef struct kw_entry_t kw_entry_t; + +enum kw_token_t { + /* config setup keywords */ + KW_CHARONDEBUG, + KW_UNIQUEIDS, + KW_CACHECRLS, + KW_STRICTCRLPOLICY, + KW_PKCS11_DEPRECATED, + KW_SETUP_DEPRECATED, + +#define KW_SETUP_FIRST KW_CHARONDEBUG +#define KW_SETUP_LAST KW_SETUP_DEPRECATED + + /* conn section keywords */ + KW_CONN_NAME, + KW_CONN_SETUP, + KW_KEYEXCHANGE, + KW_TYPE, + KW_COMPRESS, + KW_INSTALLPOLICY, + KW_AGGRESSIVE, + KW_AUTHBY, + KW_EAP_IDENTITY, + KW_AAA_IDENTITY, + KW_MOBIKE, + KW_FORCEENCAPS, + KW_FRAGMENTATION, + KW_IKEDSCP, + KW_IKELIFETIME, + KW_KEYLIFE, + KW_REKEYMARGIN, + KW_LIFEBYTES, + KW_MARGINBYTES, + KW_LIFEPACKETS, + KW_MARGINPACKETS, + KW_KEYINGTRIES, + KW_REKEYFUZZ, + KW_REKEY, + KW_REAUTH, + KW_IKE, + KW_ESP, + KW_AH, + KW_DPDDELAY, + KW_DPDTIMEOUT, + KW_DPDACTION, + KW_CLOSEACTION, + KW_SHA256_96, + KW_INACTIVITY, + KW_MODECONFIG, + KW_XAUTH, + KW_XAUTH_IDENTITY, + KW_MEDIATION, + KW_MEDIATED_BY, + KW_ME_PEERID, + KW_REQID, + KW_REPLAY_WINDOW, + KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, + KW_TFC, + KW_PFS_DEPRECATED, + KW_CONN_DEPRECATED, + +#define KW_CONN_FIRST KW_CONN_SETUP +#define KW_CONN_LAST KW_CONN_DEPRECATED + + /* ca section keywords */ + KW_CA_NAME, + KW_CA_SETUP, + KW_CACERT, + KW_CRLURI, + KW_CRLURI2, + KW_OCSPURI, + KW_OCSPURI2, + KW_CERTURIBASE, + KW_CA_DEPRECATED, + +#define KW_CA_FIRST KW_CA_SETUP +#define KW_CA_LAST KW_CA_DEPRECATED + + /* end keywords */ + KW_HOST, + KW_IKEPORT, + KW_SUBNET, + KW_PROTOPORT, + KW_SOURCEIP, + KW_DNS, + KW_FIREWALL, + KW_HOSTACCESS, + KW_ALLOWANY, + KW_UPDOWN, + KW_AUTH1, + KW_AUTH2, + KW_ID, + KW_ID2, + KW_SIGKEY, + KW_CERT, + KW_CERT2, + KW_CERTPOLICY, + KW_SENDCERT, + KW_CA, + KW_CA2, + KW_GROUPS, + KW_GROUPS2, + KW_END_DEPRECATED, + +#define KW_END_FIRST KW_HOST +#define KW_END_LAST KW_END_DEPRECATED + + /* left end keywords */ + KW_LEFT, + KW_LEFTIKEPORT, + KW_LEFTSUBNET, + KW_LEFTPROTOPORT, + KW_LEFTSOURCEIP, + KW_LEFTDNS, + KW_LEFTFIREWALL, + KW_LEFTHOSTACCESS, + KW_LEFTALLOWANY, + KW_LEFTUPDOWN, + KW_LEFTAUTH, + KW_LEFTAUTH2, + KW_LEFTID, + KW_LEFTID2, + KW_LEFTSIGKEY, + KW_LEFTCERT, + KW_LEFTCERT2, + KW_LEFTCERTPOLICY, + KW_LEFTSENDCERT, + KW_LEFTCA, + KW_LEFTCA2, + KW_LEFTGROUPS, + KW_LEFTGROUPS2, + KW_LEFT_DEPRECATED, + +#define KW_LEFT_FIRST KW_LEFT +#define KW_LEFT_LAST KW_LEFT_DEPRECATED + + /* right end keywords */ + KW_RIGHT, + KW_RIGHTIKEPORT, + KW_RIGHTSUBNET, + KW_RIGHTPROTOPORT, + KW_RIGHTSOURCEIP, + KW_RIGHTDNS, + KW_RIGHTFIREWALL, + KW_RIGHTHOSTACCESS, + KW_RIGHTALLOWANY, + KW_RIGHTUPDOWN, + KW_RIGHTAUTH, + KW_RIGHTAUTH2, + KW_RIGHTID, + KW_RIGHTID2, + KW_RIGHTSIGKEY, + KW_RIGHTCERT, + KW_RIGHTCERT2, + KW_RIGHTCERTPOLICY, + KW_RIGHTSENDCERT, + KW_RIGHTCA, + KW_RIGHTCA2, + KW_RIGHTGROUPS, + KW_RIGHTGROUPS2, + KW_RIGHT_DEPRECATED, + +#define KW_RIGHT_FIRST KW_RIGHT +#define KW_RIGHT_LAST KW_RIGHT_DEPRECATED + + /* general section keywords */ + KW_ALSO, + KW_AUTO, + +}; + +struct kw_entry_t { + char *name; + kw_token_t token; +}; + +#ifndef IN_GPERF_GENERATED_FILE +const kw_entry_t *in_word_set(register const char*, register @GPERF_LEN_TYPE@); +#endif + +#endif /* _KEYWORDS_H_ */ diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 3f92dc83f..dd673bc7a 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -16,6 +16,7 @@ #include <string.h> +#define IN_GPERF_GENERATED_FILE #include "keywords.h" %} diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in index fc5b86397..ce0c7b43c 100644 --- a/src/starter/tests/Makefile.in +++ b/src/starter/tests/Makefile.in @@ -241,9 +241,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am index ed170bd08..5c04b5ae7 100644 --- a/src/stroke/Makefile.am +++ b/src/stroke/Makefile.am @@ -4,13 +4,19 @@ stroke_SOURCES = \ stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = stroke_keywords.txt Android.mk -BUILT_SOURCES = stroke_keywords.c -MAINTAINERCLEANFILES = stroke_keywords.c +EXTRA_DIST = stroke_keywords.h.in stroke_keywords.txt Android.mk +BUILT_SOURCES = stroke_keywords.h stroke_keywords.c +MAINTAINERCLEANFILES = stroke_keywords.h stroke_keywords.c AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_PIDDIR=\"${piddir}\" -stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h +stroke_keywords.h: $(srcdir)/stroke_keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +stroke_keywords.c: $(srcdir)/stroke_keywords.txt stroke_keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 9d17733ba..be31bc581 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -215,9 +215,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -422,9 +424,9 @@ stroke_SOURCES = \ stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = stroke_keywords.txt Android.mk -BUILT_SOURCES = stroke_keywords.c -MAINTAINERCLEANFILES = stroke_keywords.c +EXTRA_DIST = stroke_keywords.h.in stroke_keywords.txt Android.mk +BUILT_SOURCES = stroke_keywords.h stroke_keywords.c +MAINTAINERCLEANFILES = stroke_keywords.h stroke_keywords.c AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_PIDDIR=\"${piddir}\" @@ -769,7 +771,13 @@ uninstall-am: uninstall-ipsecPROGRAMS .PRECIOUS: Makefile -stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h +stroke_keywords.h: $(srcdir)/stroke_keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +stroke_keywords.c: $(srcdir)/stroke_keywords.txt stroke_keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 4a1016277..00b992769 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -73,6 +73,7 @@ typedef enum { typedef struct stroke_token stroke_token_t; -extern const stroke_token_t* in_word_set(register const char *str, register unsigned int len); +extern const stroke_token_t* in_word_set(register const char *str, + register unsigned len); #endif /* _STROKE_KEYWORDS_H_ */ diff --git a/src/stroke/stroke_keywords.h.in b/src/stroke/stroke_keywords.h.in new file mode 100644 index 000000000..2b5780adc --- /dev/null +++ b/src/stroke/stroke_keywords.h.in @@ -0,0 +1,79 @@ +/* stroke keywords + * Copyright (C) 2006 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _STROKE_KEYWORDS_H_ +#define _STROKE_KEYWORDS_H_ + +typedef enum { + STROKE_ADD, + STROKE_DEL, + STROKE_DELETE, + STROKE_ROUTE, + STROKE_UNROUTE, + STROKE_UP, + STROKE_UP_NOBLK, + STROKE_DOWN, + STROKE_DOWN_NOBLK, + STROKE_DOWN_SRCIP, + STROKE_REKEY, + STROKE_LOGLEVEL, + STROKE_STATUS, + STROKE_STATUSALL, + STROKE_STATUSALL_NOBLK, + STROKE_LIST_PUBKEYS, + STROKE_LIST_CERTS, + STROKE_LIST_CACERTS, + STROKE_LIST_OCSPCERTS, + STROKE_LIST_AACERTS, + STROKE_LIST_ACERTS, + STROKE_LIST_GROUPS, + STROKE_LIST_CAINFOS, + STROKE_LIST_CRLS, + STROKE_LIST_OCSP, + STROKE_LIST_ALGS, + STROKE_LIST_PLUGINS, + STROKE_LIST_ALL, + STROKE_REREAD_SECRETS, + STROKE_REREAD_CACERTS, + STROKE_REREAD_OCSPCERTS, + STROKE_REREAD_AACERTS, + STROKE_REREAD_ACERTS, + STROKE_REREAD_CRLS, + STROKE_REREAD_ALL, + STROKE_PURGE_OCSP, + STROKE_PURGE_CRLS, + STROKE_PURGE_CERTS, + STROKE_PURGE_IKE, + STROKE_EXPORT_X509, + STROKE_EXPORT_CONN_CERT, + STROKE_EXPORT_CONN_CHAIN, + STROKE_LEASES, + STROKE_MEMUSAGE, + STROKE_USER_CREDS, + STROKE_COUNTERS, + STROKE_COUNTERS_RESET, +} stroke_keyword_t; + +#define STROKE_LIST_FIRST STROKE_LIST_PUBKEYS +#define STROKE_REREAD_FIRST STROKE_REREAD_SECRETS +#define STROKE_PURGE_FIRST STROKE_PURGE_OCSP +#define STROKE_EXPORT_FIRST STROKE_EXPORT_X509 + +typedef struct stroke_token stroke_token_t; + +extern const stroke_token_t* in_word_set(register const char *str, + register @GPERF_LEN_TYPE@ len); + +#endif /* _STROKE_KEYWORDS_H_ */ diff --git a/src/sw-collector/Makefile.in b/src/sw-collector/Makefile.in index 73016ad72..28169508a 100644 --- a/src/sw-collector/Makefile.in +++ b/src/sw-collector/Makefile.in @@ -252,9 +252,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/sw-collector/sw-collector.8.in b/src/sw-collector/sw-collector.8.in index 8560ba095..b9041c77b 100644 --- a/src/sw-collector/sw-collector.8.in +++ b/src/sw-collector/sw-collector.8.in @@ -1,4 +1,4 @@ -.TH SW-COLLECTOR 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan" +.TH SW-COLLECTOR 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -56,34 +56,34 @@ Prints usage information and a short summary of the available commands. .BI "\-v, \-\-debug " level Set debug level, default: 2. .TP -.B "\-q, \-\-quiet +.B "\-q, \-\-quiet" Disable debug output to stderr. .TP -.B "\-i, \-\-installed +.B "\-i, \-\-installed" Apply command to installed software packages, only. .TP -.B "\-r, \-\-removed +.B "\-r, \-\-removed" Apply command to removed software packages, only. .TP -.B "\-f, \-\-full +.B "\-f, \-\-full" Generate ISO 19770-2:2015 SWID tags with full file information (possible for installed software packages, only). .TP -.B "\-l, \-\-list +.B "\-l, \-\-list" Lists all software packages stored in the collector database showing their installation status. .TP -.B "\-u, \-\-unregistered +.B "\-u, \-\-unregistered" Lists all software packages residing in the local collector database but for which no SWID tags exist yet in a central collector database reachable via a REST interface. .TP -.B "\-g, \-\-generate +.B "\-g, \-\-generate" Generates ISO 19770-2:2015 SWID tags for all software packages residing in the local collector database but for which no SWID tags exist in a central collector database reachable via a REST interface. .TP -.B "\-m, \-\-migrate +.B "\-m, \-\-migrate" Can be used to migrate collector database versions. Currently all architecture suffixes are removed from dpkg package names. . diff --git a/src/sw-collector/sw-collector.c b/src/sw-collector/sw-collector.c index e673dd657..a42f1068a 100644 --- a/src/sw-collector/sw-collector.c +++ b/src/sw-collector/sw-collector.c @@ -249,6 +249,7 @@ static int extract_history(sw_collector_db_t *db) history = sw_collector_history_create(db, 1); if (!history) { + chunk_unmap(h); return EXIT_FAILURE; } diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 19815c51a..3a432c454 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -2,6 +2,7 @@ sbin_PROGRAMS = swanctl swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index 6da739b88..ea7130bbb 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -112,10 +112,11 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" PROGRAMS = $(sbin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp -am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ - commands/terminate.$(OBJEXT) commands/rekey.$(OBJEXT) \ - commands/redirect.$(OBJEXT) commands/install.$(OBJEXT) \ - commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ +am_swanctl_OBJECTS = command.$(OBJEXT) commands/counters.$(OBJEXT) \ + commands/initiate.$(OBJEXT) commands/terminate.$(OBJEXT) \ + commands/rekey.$(OBJEXT) commands/redirect.$(OBJEXT) \ + commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \ + commands/list_pols.$(OBJEXT) \ commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \ @@ -264,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -469,6 +472,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ @@ -606,6 +610,8 @@ commands/$(am__dirstamp): commands/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) commands/$(DEPDIR) @: > commands/$(DEPDIR)/$(am__dirstamp) +commands/counters.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \ @@ -664,6 +670,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/counters.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/flush_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 7f65d2b0e..225dff617 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -147,6 +147,15 @@ void command_register(command_t command) "MAX_COMMANDS\n"); return; } + for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) + { + if (cmds[i].op == command.op) + { + fprintf(stderr, "unable to register command --%s, short option " + "conflicts with --%s\n", command.cmd, cmds[i].cmd); + return; + } + } cmds[registered] = command; /* append default options, but not to --help */ diff --git a/src/swanctl/command.h b/src/swanctl/command.h index c17811498..0d93ae45c 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 25 +#define MAX_COMMANDS 26 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c new file mode 100644 index 000000000..ab386b5d8 --- /dev/null +++ b/src/swanctl/commands/counters.c @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <errno.h> + +#include "command.h" + +CALLBACK(counters_kv, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + if (chunk_printable(chunk_create(value, len), NULL, ' ')) + { + printf(" %-22s: %.*s\n", name, len, value); + } + return 0; +} + +CALLBACK(conns_sn, int, + void *null, vici_res_t *res, char *name) +{ + printf("%s:\n", strlen(name) ? name : "global"); + return vici_parse_cb(res, NULL, counters_kv, NULL, NULL); +} + +CALLBACK(counters_sn, int, + void *null, vici_res_t *res, char *name) +{ + return vici_parse_cb(res, conns_sn, NULL, NULL, NULL); +} + +static int counters(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *name = NULL; + int ret; + bool all = FALSE, reset = FALSE; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case 'n': + name = arg; + continue; + case 'a': + all = TRUE; + continue; + case 'R': + reset = TRUE; + continue; + case EOF: + break; + default: + return command_usage("invalid --counters option"); + } + break; + } + if (reset) + { + req = vici_begin("reset-counters"); + } + else + { + req = vici_begin("get-counters"); + } + if (all) + { + vici_add_key_valuef(req, "all", "yes"); + } + else if (name) + { + vici_add_key_valuef(req, "name", "%s", name); + } + + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "%s-counters request failed: %s\n", + reset ? "reset" : "get", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "counters reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (streq(vici_find_str(res, "no", "success"), "yes")) + { + if (reset) + { + printf("reset-counters completed successfully\n"); + } + else if (vici_parse_cb(res, counters_sn, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing get-counters reply failed: %s\n", + strerror(errno)); + } + } + else + { + fprintf(stderr, "%s-counters failed: %s\n", reset ? "reset" : "get", + vici_find_str(res, "", "errmsg")); + ret = 1; + } + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + counters, 'C', "counters", "list or reset IKE event counters", + {"[--name <name>|--all] [--reset] [--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"name", 'n', 1, "connection name, omit for global counters"}, + {"all", 'a', 0, "get/reset counters for all tracked connections"}, + {"reset", 'R', 0, "reset the counters"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 1ff5ee8fb..9b87a963a 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -305,6 +305,9 @@ # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index d1aced493..6c73d4775 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -252,11 +252,9 @@ to enforce the uniqueness policy instead. On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer -(determined by the identities of the first authentication round). Only if set to -.RI "" "keep" "" -or -.RI "" "replace" "" -will the client send a notify. +(determined by the identities of the first authentication round). Unless set to +.RI "" "never" "" +the client will send a notify. .TP .BR connections.<conn>.reauth_time " [0s]" @@ -485,6 +483,20 @@ configured any signature scheme constraint (without prefix) will also apply to IKEv2 authentication, unless this is disabled in .RB "" "strongswan.conf" "(5)." +To use RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in e.g. +.RI "" "ike:rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured RSASSA\-PSS signatures will only be used if enabled in +.RB "" "strongswan.conf" "(5)." .TP @@ -726,7 +738,24 @@ section's .RB "" "auth" "" keyword for details), such key types and hash algorithms are also applied as constraints -against IKEv2 signature authentication schemes used by the remote side. +against IKEv2 signature authentication schemes used by the remote side. To +require RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in +e.g. +.RI "" "rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured +RSASSA\-PSS signatures will only be accepted if enabled in +.RB "" "strongswan.conf" "(5)." + To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above @@ -1053,9 +1082,11 @@ Optional interface name to restrict IPsec policies. .TP .BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]" -Netfilter mark and mask for input traffic. On Linux Netfilter may require marks -on each packet to match an SA having that option set. This allows Netfilter -rules to select specific tunnels for incoming traffic. The special value +Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks +on each packet to match an SA/policy having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +SAs/policies for incoming traffic. Note that inbound marks are only set on +policies, by default, unless *mark_in_sa* is enabled. The special value .RI "" "%unique" "" sets a unique mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" @@ -1068,15 +1099,26 @@ The default mask if omitted is 0xffffffff. .TP +.BR connections.<conn>.children.<child>.mark_in_sa " [no]" +Whether to set *mark_in* on the inbound SA. By default, the inbound mark is only +set on the inbound policy. The tuple destination address, protocol and SPI is +unique and the mark is not required to find the correct SA, allowing to mark +traffic after decryption instead (where more specific selectors may be used) to +match different policies. Marking packets before decryption is still possible, +even if no mark is set on the SA. + +.TP .BR connections.<conn>.children.<child>.mark_out " [0/0x00000000]" -Netfilter mark and mask for output traffic. On Linux Netfilter may require marks -on each packet to match a policy having that option set. This allows Netfilter -rules to select specific tunnels for outgoing traffic. The special value +Netfilter mark and mask for output traffic. On Linux, Netfilter may require +marks on each packet to match a policy/SA having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +policies/SAs for outgoing traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance, beyond that the value +sets a unique +mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" -assigns a different unique mark for each CHILD_SA direction -(in/out). +assigns a +different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by .RI "" "/" "." diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index d0a0d21dd..2dd9ea374 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -216,7 +216,7 @@ connections.<conn>.unique = no On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). - Only if set to _keep_ or _replace_ will the client send a notify. + Unless set to _never_ the client will send a notify. connections.<conn>.reauth_time = 0s Time to schedule IKE reauthentication. @@ -395,7 +395,11 @@ connections.<conn>.local<suffix>.auth = pubkey algorithm that matches or exceeds the strength of the signature key. If no constraints with _ike:_ prefix are configured any signature scheme constraint (without _ike:_ prefix) will also apply to IKEv2 authentication, - unless this is disabled in **strongswan.conf**(5). + unless this is disabled in **strongswan.conf**(5). To use RSASSA-PSS + signatures use _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. + _ike:rsa/pss-sha256_. If _pubkey_ or _rsa_ constraints are configured + RSASSA-PSS signatures will only be used if enabled in + **strongswan.conf**(5). connections.<conn>.local<suffix>.id = IKE identity to use for authentication round. @@ -589,7 +593,10 @@ connections.<conn>.remote<suffix>.auth = pubkey constraints are configured (refer to the description of the **local** section's **auth** keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication - schemes used by the remote side. + schemes used by the remote side. To require RSASSA-PSS signatures use + _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. _rsa/pss-sha256_. If + _pubkey_ or _rsa_ constraints are configured RSASSA-PSS signatures will only + be accepted if enabled in **strongswan.conf**(5). To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed @@ -867,25 +874,37 @@ connections.<conn>.children.<child>.interface = connections.<conn>.children.<child>.mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may require - marks on each packet to match an SA having that option set. This allows - Netfilter rules to select specific tunnels for incoming traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each + Netfilter mark and mask for input traffic. On Linux, Netfilter may require + marks on each packet to match an SA/policy having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific SAs/policies for incoming traffic. Note that inbound marks are + only set on policies, by default, unless *mark_in_sa* is enabled. The + special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond + that the value _%unique-dir_ assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections.<conn>.children.<child>.mark_in_sa = no + Whether to set *mark_in* on the inbound SA. + + Whether to set *mark_in* on the inbound SA. By default, the inbound mark is + only set on the inbound policy. The tuple destination address, protocol and + SPI is unique and the mark is not required to find the correct SA, allowing + to mark traffic after decryption instead (where more specific selectors may + be used) to match different policies. Marking packets before decryption is + still possible, even if no mark is set on the SA. + connections.<conn>.children.<child>.mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. - Netfilter mark and mask for output traffic. On Linux Netfilter may require - marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may require + marks on each packet to match a policy/SA having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific policies/SAs for outgoing traffic. The special value _%unique_ sets + a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_ + assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. diff --git a/testing/Makefile.in b/testing/Makefile.in index 3f6f1e4dd..1c244c66e 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/testing/config/kernel/config-4.13 b/testing/config/kernel/config-4.13 new file mode 100644 index 000000000..dcdceccd8 --- /dev/null +++ b/testing/config/kernel/config-4.13 @@ -0,0 +1,2613 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.13.12 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_FHANDLE=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_RCU_NEED_SEGCBLIST is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_POSIX_TIMERS=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +# CONFIG_USERFAULTFD is not set +CONFIG_PCI_QUIRKS=y +CONFIG_MEMBARRIER=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y +# CONFIG_PC104 is not set + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SYSTEM_DATA_VERIFICATION is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_THIN_ARCHIVES=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +# CONFIG_HAVE_ARCH_HASH is not set +# CONFIG_ISA_BUS_API is not set +# CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX is not set +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +# CONFIG_REFCOUNT_FULL is not set + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_INTEL_RDT_A is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +# CONFIG_VM86 is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_HAVE_GENERIC_GUP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_LEGACY_VSYSCALL_NATIVE is not set +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_BUS_ADDR_T_64BIT=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT is not set + +# +# PCI host controller drivers +# +# CONFIG_VMD is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IP_TUNNEL=y +# CONFIG_SYN_COOKIES is not set +# CONFIG_NET_IPVTI is not set +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +# CONFIG_IPV6_VTI is not set +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +# CONFIG_IPV6_FOU is not set +# CONFIG_IPV6_FOU_TUNNEL is not set +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +# CONFIG_IP6_NF_NAT is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +# CONFIG_STREAM_PARSER is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set +# CONFIG_CXL_LIB is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +# CONFIG_AMD_XGBE_HAVE_ECC is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_MDIO_BUS is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ACP (Audio CoProcessor) Configuration +# +# CONFIG_DRM_LIB_RANDOM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set + +# +# USB Power Delivery and Type-C drivers +# +# CONFIG_TYPEC_UCSI is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_HYPERV_TSCPAGE is not set +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_MLX_CPLD_PLATFORM is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_COMMON_CLK_NXP is not set +# CONFIG_COMMON_CLK_PXA is not set +# CONFIG_COMMON_CLK_PIC32 is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# + +# +# Broadcom SoC drivers +# + +# +# i.MX SoC drivers +# +# CONFIG_SUNXI_SRAM is not set +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set + +# +# FPGA Configuration Support +# +# CONFIG_FPGA is not set + +# +# FSI support +# +# CONFIG_FSI is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set +# CONFIG_EFI_DEV_PATH_PARSER is not set + +# +# Tegra firmware driver +# + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_STACK_VALIDATION is not set +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHED_INFO is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_PROVE_RCU is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP_CORE is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +# CONFIG_CRYPTO_HW is not set + +# +# Certificates for signature checking +# +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +# CONFIG_DMA_NOOP_OPS is not set +# CONFIG_DMA_VIRT_OPS is not set +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +# CONFIG_SG_SPLIT is not set +# CONFIG_SG_POOL is not set +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_MMIO_FLUSH=y +CONFIG_SBITMAP=y diff --git a/testing/do-tests b/testing/do-tests index e3fd9b464..38999ea61 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -825,7 +825,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'systemd|swanctl|charon|last message repeated|imcv' \ /var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log done diff --git a/testing/hosts/default/etc/strongswan.conf.testing b/testing/hosts/default/etc/strongswan.conf.testing index b62355097..604769a49 100644 --- a/testing/hosts/default/etc/strongswan.conf.testing +++ b/testing/hosts/default/etc/strongswan.conf.testing @@ -7,6 +7,16 @@ charon { xfrm_acq_expires = 60 } } + syslog { + daemon { + } + auth { + default = 0 + } + } + journal { + default = -1 + } } include strongswan.conf diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 1264bd7ee..95453d620 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -18,7 +18,7 @@ INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev -INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip +INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev case "$BASEIMGSUITE" in diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan index d4e9e922f..150fce30c 100755 --- a/testing/scripts/build-strongswan +++ b/testing/scripts/build-strongswan @@ -50,8 +50,7 @@ execute "bindfs -u $SRCUID -g $SRCGID $SWANDIR $LOOPDIR/root/strongswan" do_on_exit umount $LOOPDIR/root/strongswan log_action "Remove SWID tags of previous versions" -execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete' -execute_chroot 'find /usr/local/share/strongswan -name *.swidtag -delete' +execute_chroot "find /usr/local/share -path '*strongswan*' -name *.swidtag -delete" echo "Building and installing strongSwan" diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 3c5f41834..80f779c7d 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -103,7 +103,8 @@ CONFIG_OPTS = \ --enable-lookip \ --enable-bliss \ --enable-sha3 \ - --enable-newhope + --enable-newhope \ + --enable-systemd export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/ssh_config b/testing/ssh_config index 367683018..56a619002 100644 --- a/testing/ssh_config +++ b/testing/ssh_config @@ -1,4 +1,5 @@ Host * + LogLevel QUIET # debian default SendEnv LANG LC_* SendEnv LEAK_DETECTIVE_LOG diff --git a/testing/testing.conf b/testing/testing.conf index e22afc3e4..e33fb4fc9 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -31,7 +31,7 @@ fi : ${KERNELPATCH=ha-4.4-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.6.0} +: ${SWANVERSION=5.6.1} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff --git a/testing/tests/af-alg/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt index 87679788f..995ab4c65 100644 --- a/testing/tests/af-alg/alg-camellia/description.txt +++ b/testing/tests/af-alg/alg-camellia/description.txt @@ -1,3 +1,3 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_3072</b> well as the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA384_192</b>. -A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>camellia256-sha512-modp3072</b> +well as the ESP cipher suite <b>camellia192-sha384</b>. A ping from <b>carol</b> to <b>alice</b> successfully +checks the established tunnel. diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/af-alg/alg-camellia/posttest.dat +++ b/testing/tests/af-alg/alg-camellia/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index 41255bccb..dbd1738ae 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf index afa7afe83..b6be829f4 100644 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/af-alg/rw-cert/posttest.dat +++ b/testing/tests/af-alg/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index 7652f460e..664cc9447 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt index 982efa5ea..28c6adb4b 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and -<b>SERPENT_CBC_256 / HMAC_SHA2_512_256 </b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +<b>serpent256-sha512-modp4096</b> for the IKE protocol and <b>serpent256-sha512</b> +for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl
\ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 0f615f4ac..8c6a3ba30 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null
\ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt index e1a7403e3..bfef69b5c 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and -<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256 </b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +<b>twofish256-sha512-modp4096</b> for the IKE protocol and <b>twofish256-sha512</b> +for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl
\ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 0f615f4ac..b9e2a8eee 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt +++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as -the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> -in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite +<b>camellia256-sha512-modp3072</b> as well as the ESP cipher suite <b>camellia192-sha384</b>. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat index 562336fd4..8a2e36baa 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat @@ -1,12 +1,6 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f0bbfc10f..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..acba9cecb --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8481f8974..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1c06bb2ce --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat index e34f70277..dbd1738ae 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt index f60f5b1ad..0502a6be2 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/description.txt +++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt @@ -5,8 +5,8 @@ plugins <b>aes des sha1 sha2 md5 gmp</b>. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping -the client <b>alice</b> behind the gateway <b>moon</b>. +Upon the successful establishment of the IPsec tunnels, the <b>updown</b> directive +in swanctl.conf automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b> and +<b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat index 849d59a4e..eccdcf0c1 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 214a8de28..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - esp=3des-sha1! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..22fe14f92 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp1536 + } + } + version = 2 + proposals = 3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 603651a43..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048! - esp=aes256-sha512! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f7b335e72..4f6bec1b4 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm vici stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b3622f50e --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ce4c0decb..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048,3des-sha1-modp1536! - esp=aes256-sha512,3des-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ccd247af0 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat index 1865a1c60..b909ac76c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index 15c4ad7d1..664cc9447 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection net +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf index d6e251dba..0ddecec94 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf index 7c0490d59..40327a9ec 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf index 4fcff4a89..6c4ad62fc 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf index 2e81bfd04..1bf040c21 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 218c9f155..a725ea7da 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index ce610b6a3..5cadaccc9 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev1 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 7a578d242..04da33fd6 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -5,4 +5,10 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf index 77ed2c0c9..afa1641c5 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf index af5fa19ef..cf4c1eba4 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf index 82a8f38c5..51a2e5758 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf index 93f434598..f09c27902 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf index 89674b2a1..7456a9d8a 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index d69a7b808..99d3c61d9 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf index 82804a0fe..3c0578d4b 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index a3c9999f7..99a0e8940 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf index aac963e91..eee4e6edc 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark=10/0xffffffff also=sun diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf index 7af65a55d..e8eaa4887 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf index 82da6cb7a..95e90fd09 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf index 8cce0c957..71f5442c0 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256-esn-noesn! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf index 1fd5ddb03..9e0df8111 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-modp3072! esp=aes128-sha256-esn! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf index 01d114dd9..4251ecd68 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf index 49077484a..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -6,9 +6,15 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { - parameter_set = x9_98_bandwidth + parameter_set = x9_98_bandwidth } } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf index e57bec965..449ee7989 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-ntru128! esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf index 1dcbd6c27..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = x9_98_bandwidth diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 9da45bcba..f29a8b2a2 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index 50be98057..76fbc8024 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 0b31f738c..d461bda50 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -4,4 +4,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf index aeaebe1f4..8c7918b80 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf index 8b54476fd..3c4d0a07f 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -1,13 +1,10 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf index 3dcbf76ea..8d26c1381 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf index 9ba918893..ec7d9a79a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m @@ -11,7 +8,7 @@ conn %default keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf index d41e43a5c..cc86ebc0a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf @@ -1,17 +1,14 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf index a5c2cc5fc..cdcf4e6f2 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf @@ -1,7 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf index af5fa19ef..6bc136a9b 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf index b7b27b720..10d92873d 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf index ee4bfd27d..0ab0c4772 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 5e06976d1..756e3835c 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 2261fc3e1..74881b5cf 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 37fa2b435..4a645d741 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 8865bd52c..797d27cc2 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf index fc6f1e633..6aaeb160f 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index 84d571482..ef5666914 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf index 242329b3b..02899fdb7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf index 20afebf81..0ff7725ca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf index 5b1ac90a3..c18df1c73 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf index 8aa168745..2b58fbfca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf index 4b549cbd5..f0094e4d7 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark_in=10/0xffffffff mark_out=11/0xffffffff diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf index a2d62296f..0e4eaa1ea 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf index dbcd7d844..709e0c5e4 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf index 3c7adfbf9..47792af99 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf index 409bee2cb..650ebddd9 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf index 71edc4c14..ef99cc768 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/description.txt b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf index 9e68eb674..9e68eb674 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c90a8e03 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf index 23bc5c627..23bc5c627 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/test.conf b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/description.txt b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf index faee5c854..faee5c854 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf index f4dc393ee..f4dc393ee 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/test.conf b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> +sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf index 4821989a9..4821989a9 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf index 23bc5c627..23bc5c627 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> +sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf index 7292066a9..7292066a9 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf index 2141c15c5..2141c15c5 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b> +sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf index c43086f76..c43086f76 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf index f64bc2342..f64bc2342 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b> +sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf index 704737eaf..704737eaf 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf index e739fc8ea..e739fc8ea 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> +sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf index 93660a2d8..93660a2d8 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aeab0b9b5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf index 30dadee78..30dadee78 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..429439ee4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> +sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf index f1cbd5576..f1cbd5576 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0be55a717 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf index 1f1fa6c51..1f1fa6c51 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..812d52a95 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ikev1/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf index 4bcfd19dd..4bcfd19dd 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af5fa19ef --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf index 125303638..125303638 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf index 880b1b2e7..880b1b2e7 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ikev2/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf index 21166b2d0..21166b2d0 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf index 9513be833..9513be833 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf index 4bed27ec5..4bed27ec5 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..f9412611b --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via +the IKEv1 mode config payload. +<p/> +Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf index 8aba6f0b1..8aba6f0b1 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0c5b0b5a4 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf index d0ff82c2d..d0ff82c2d 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf index e77d7b608..e77d7b608 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat index 1865a1c60..ebe5e2a80 100644 --- a/testing/tests/libipsec/rw-suite-b/posttest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat @@ -4,3 +4,7 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat index e87a8ee47..e73bde487 100644 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat @@ -1,11 +1,15 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" moon::ipsec start carol::ipsec start dave::ipsec start moon::expect-connection rw carol::expect-connection home -carol::ipsec up home dave::expect-connection home +carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..237e6fa52 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via +the IKEv2 configuration payload. +<p/> +Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b> +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf index 1ca1c6c26..1ca1c6c26 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf index bba2d96f7..bba2d96f7 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf index 5ea245568..5ea245568 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..ebe5e2a80 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..e73bde487 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b> +behind the gateway <b>moon</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf index 47080139f..47080139f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets index 2abcb4e0a..2abcb4e0a 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf index c59d32a14..c59d32a14 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets index 2375cd559..2375cd559 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf index 7d32866b5..7d32866b5 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets index 88c418353..88c418353 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b> +behind the gateway <b>moon</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf index eed683f72..eed683f72 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets index 2abcb4e0a..2abcb4e0a 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf index 3b45adb0d..3b45adb0d 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets index 2375cd559..2375cd559 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf index f6c4c6ab9..f6c4c6ab9 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets index 88c418353..88c418353 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev1/description.txt b/testing/tests/ipv6-stroke/transport-ikev1/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat new file mode 100644 index 000000000..5ae9d2c12 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf index f2938f307..f2938f307 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf index 9af8aa862..9af8aa862 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev1/test.conf b/testing/tests/ipv6-stroke/transport-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev2/description.txt b/testing/tests/ipv6-stroke/transport-ikev2/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat new file mode 100644 index 000000000..0dfba54ea --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf index a48b6cbc6..a48b6cbc6 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf index e80eb8101..e80eb8101 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev2/test.conf b/testing/tests/ipv6-stroke/transport-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6/host2host-ikev1/description.txt b/testing/tests/ipv6/host2host-ikev1/description.txt index b52c4caf8..d9ef11539 100644 --- a/testing/tests/ipv6/host2host-ikev1/description.txt +++ b/testing/tests/ipv6/host2host-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. +An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules that pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat index 186ce4e06..ef6ec2b98 100644 --- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1fa9a622c --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..585e32489 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev1/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat index 46c015387..340344c95 100644 --- a/testing/tests/ipv6/host2host-ikev1/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection host-host +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host -moon::ipsec up host-host +moon::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf index e1d17aa16..7bc3a6eee 100644 --- a/testing/tests/ipv6/host2host-ikev1/test.conf +++ b/testing/tests/ipv6/host2host-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/host2host-ikev2/description.txt b/testing/tests/ipv6/host2host-ikev2/description.txt index b52c4caf8..3714c800b 100644 --- a/testing/tests/ipv6/host2host-ikev2/description.txt +++ b/testing/tests/ipv6/host2host-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. +An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat index 186ce4e06..23add7ae5 100644 --- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES -sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
\ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..b422344f2 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..376f8d8fa --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev2/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat index 46c015387..0c558800c 100644 --- a/testing/tests/ipv6/host2host-ikev2/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null
\ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/host2host-ikev2/test.conf +++ b/testing/tests/ipv6/host2host-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev1/description.txt b/testing/tests/ipv6/net2net-ikev1/description.txt index 5952ecc2d..9c574d22f 100644 --- a/testing/tests/ipv6/net2net-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ikev1/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client <b>alice</b> behind <b>moon</b> sends an IPv6 ICMP +request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat index 4cf23a31b..877459c88 100644 --- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e4ae7c91b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..df389144d --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat index a14b3cf79..60b2810cf 100644 --- a/testing/tests/ipv6/net2net-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev2/description.txt b/testing/tests/ipv6/net2net-ikev2/description.txt index 5952ecc2d..0fe026cc0 100644 --- a/testing/tests/ipv6/net2net-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ikev2/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> +is successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client <b>alice</b> behind <b>moon</b> sends an IPv6 ICMP +request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat index 4cf23a31b..a3e2bad94 100644 --- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1bf52633b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..73480f112 --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat index ee9e22ed7..829c64764 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..7604b97d5 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf index 7a39a8ae4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size=1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..4a7f98856 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat index 812ccd162..9a9d27b29 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat index ee9e22ed7..b898de258 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -1,7 +1,6 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..aea5c228c --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1efe64d86 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat index 812ccd162..5a4e73383 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt index 5952ecc2d..26cb55e4d 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +<b>alice</b> behind <b>moon</b> sends an IPv6 ICMP request to client <b>bob</b> +behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 803cf5ef5..849da7c61 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16] sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e78611432 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..db19938ac --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat index 58711bc06..58be2992f 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt index 5952ecc2d..dee74097c 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +<b>alice</b> behind <b>moon</b> sends an IPv6 ICMP request to client <b>bob</b> +behind <b>sun</b> using the ping6 command.
\ No newline at end of file diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 803cf5ef5..40ae8524a 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,7 +1,4 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..775c2feae --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..ed7e9b477 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat index 58711bc06..e1d5265cc 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt index ebcc00724..0c0525ce1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt @@ -1,11 +1,14 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -<b>X.509 certificates</b> containing <b>RFC 3779 IP address block constraints</b>. -Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=::/0</b> thus allowing the peers to narrow down -the address range to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively. -These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints. +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on <b>X.509 certificates</b> containing +<b>RFC 3779 IP address block constraints</b>. Both <b>moon</b> and <b>sun</b> set +<b>rightsubnet=::/0</b> thus allowing the peers to narrow down the address range +to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively. +These unilaterally proposed traffic selectors must be validated by corresponding +IP address block constraints. <p/> -Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. +Upon the successful establishment of the IPsec tunnel, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind +<b>moon</b> sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> +using the ping6 command. diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat index 3b0a3eeca..72dade743 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat @@ -1,9 +1,7 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 46b9ad415..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem index 11607c8cb..11607c8cb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..c172a2c13 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem index 124e2ae46..124e2ae46 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem index 8e872d89f..8e872d89f 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 4a0f911a3..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem index 55f5f8037..55f5f8037 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..68927c36d --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem index a93121da1..a93121da1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem index 8e872d89f..8e872d89f 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat index 8229b6254..eddc9bf97 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES -moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES # send two pings because the first is lost due to Path MTU Discovery between alice and moon carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES # reduce the size as the default is already larger than the threshold of 90 bytes carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bd9a9e59f..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn home - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP6_MOON - rightsubnet=fec1::/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf index af5fa19ef..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..279eb3205 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c4f9b5b5b..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn rw - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf index 93f434598..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b15b952cc --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat index fdaf44080..55b22dfde 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat index 3f6427f50..96a2d7d9e 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat @@ -6,8 +6,8 @@ carol::ip6tables-restore < /etc/ip6tables.rules moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf index 8098d4720..8eedcd9f9 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/test.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/test.conf @@ -24,3 +24,7 @@ IPSECHOSTS="moon carol" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev1/description.txt b/testing/tests/ipv6/rw-ikev1/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ikev1/description.txt @@ -1,7 +1,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat index 0e125b70e..1202a99d2 100644 --- a/testing/tests/ipv6/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf index 0835a1605..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..52970208b --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c26ba5780 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f72f9ef86 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ikev1/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev2/description.txt b/testing/tests/ipv6/rw-ikev2/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ikev2/description.txt @@ -1,7 +1,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat index 0e125b70e..d5d5a6b1c 100644 --- a/testing/tests/ipv6/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5bfbe324d --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7fe33bf8f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b28e49e07 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt index f9412611b..ce07226c5 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt @@ -1,10 +1,10 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each -to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via -the IKEv1 mode config payload. +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel +connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 +certificates</b>. Both <b>carol</b> and <b>dave</b> request a virtual IPv6 +address from <b>moon</b> via the IKEv1 mode config payload. <p/> -Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send -an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both <b>carol</b> and <b>dave</b> send an IPv6 ICMP +request to the client <b>alice</b> behind the gateway <b>moon</b> using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index f6dc9aa3e..78488871f 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fcf530ebe --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..51fb8d65c --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..72201edc0 --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt index 237e6fa52..790427243 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt @@ -1,10 +1,10 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each -to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via -the IKEv2 configuration payload. +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel +connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 +certificates</b> Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address +from <b>moon</b> via the IKEv2 configuration payload. <p/> -Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send -an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b> -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both <b>carol</b> and <b>dave</b> send an IPv6 ICMP +request to the client <b>alice</b> behind the gateway <b>moon</b> using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index f6dc9aa3e..d0f2bac96 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1a9ed078f --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1fb687eaa --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6624bfb3e --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev1/description.txt b/testing/tests/ipv6/rw-psk-ikev1/description.txt index 66fc09053..fd7369d8f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev1/description.txt @@ -1,7 +1,7 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b> -behind the gateway <b>moon</b> using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to client <b>alice</b> behind the gateway <b>moon</b> using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat index 16982a736..e92aa028d 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat @@ -1,13 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES + carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..524530721 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7e3cff4ff --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..70c360ce7 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev2/description.txt b/testing/tests/ipv6/rw-psk-ikev2/description.txt index 66fc09053..0bd1474a0 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev2/description.txt @@ -1,7 +1,7 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each +TThe roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b> -behind the gateway <b>moon</b> using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send +an IPv6 ICMP request to client <b>alice</b> behind the gateway <b>moon</b> using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat index 16982a736..ce79801ec 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=4500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6d1b0a61b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8d848205b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df4170e96 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat index 551eae263..082416d60 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat @@ -1,18 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a2e054e13..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf index da170cb15..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem index a75622149..a75622149 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54fb36da4 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem index bf8a4919d..bf8a4919d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem index 8e872d89f..8e872d89f 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8d275e2bd..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem index f72970c4d..f72970c4d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..098ba6db7 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem index 88ce01ed5..88ce01ed5 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem index 8e872d89f..8e872d89f 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 236302350..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem index 11607c8cb..11607c8cb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4edc8cd86 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem index 124e2ae46..124e2ae46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem index 8e872d89f..8e872d89f 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev1/description.txt b/testing/tests/ipv6/transport-ikev1/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev1/description.txt +++ b/testing/tests/ipv6/transport-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. +An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to +<b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat index 5ae9d2c12..736425d36 100644 --- a/testing/tests/ipv6/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat @@ -1,9 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..016d51707 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..deee09d83 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev1/posttest.dat +++ b/testing/tests/ipv6/transport-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat index 46c015387..7ab42a1ce 100644 --- a/testing/tests/ipv6/transport-ikev1/pretest.dat +++ b/testing/tests/ipv6/transport-ikev1/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev1/test.conf +++ b/testing/tests/ipv6/transport-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev2/description.txt b/testing/tests/ipv6/transport-ikev2/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev2/description.txt +++ b/testing/tests/ipv6/transport-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command. +An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to +<b>sun</b> using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 0dfba54ea..48ddcd069 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,10 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..2f06bbab4 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..dc981a7a7 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev2/posttest.dat +++ b/testing/tests/ipv6/transport-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat index 46c015387..cb7fe951f 100644 --- a/testing/tests/ipv6/transport-ikev2/pretest.dat +++ b/testing/tests/ipv6/transport-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev2/test.conf +++ b/testing/tests/ipv6/transport-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat index 77c2528ea..f482c558a 100644 --- a/testing/tests/libipsec/host2host-cert/evaltest.dat +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32] +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6e8329a44..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8f8b04029 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index becb97e04..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a0739647c --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/posttest.dat b/testing/tests/libipsec/host2host-cert/posttest.dat index 8b6052f38..23ebee582 100644 --- a/testing/tests/libipsec/host2host-cert/posttest.dat +++ b/testing/tests/libipsec/host2host-cert/posttest.dat @@ -1,5 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index 35c0f3e1c..00e5c199f 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -2,8 +2,8 @@ moon::sysctl -w net.ipv4.conf.all.rp_filter=2 sun::sysctl -w net.ipv4.conf.all.rp_filter=2 moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host moon::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/libipsec/host2host-cert/test.conf b/testing/tests/libipsec/host2host-cert/test.conf index 9647dc6a2..52d886dcc 100644 --- a/testing/tests/libipsec/host2host-cert/test.conf +++ b/testing/tests/libipsec/host2host-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat index 9365a8f44..36c0ee781 100644 --- a/testing/tests/libipsec/net2net-3des/evaltest.dat +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 141b4a3ed..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fe2a4dd75 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 0108a04a3..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54c35b3e1 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-3des/posttest.dat +++ b/testing/tests/libipsec/net2net-3des/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-3des/test.conf +++ b/testing/tests/libipsec/net2net-3des/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert-ipv6/description.txt b/testing/tests/libipsec/net2net-cert-ipv6/description.txt new file mode 100644 index 000000000..ab582c3a5 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/description.txt @@ -0,0 +1,14 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> +plugin is used for userland IPsec ESP encryption. +<p/> +Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b> +behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. +<p/> +This scenario is mainly to test how fragmented IPv6 packets are handled (e.g. determining +the protocol via IPv6 extension headers). Three pings are required due to PMTUD, the first +is rejected by <b>moon</b>, so <b>alice</b> adjusts the MTU. The second gets through, +but the response is rejected by <b>sun</b>, so <b>bob</b> will adjust the MTU. The third +finally is successful. diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat new file mode 100644 index 000000000..e9a30b9ac --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..586cc57c1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16[ipv6-icmp] + remote_ts = fec2::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown index 6a5b18de6..e7c3640d4 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown @@ -223,50 +223,21 @@ case "$PLUTO_VERB:$1" in up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ;; down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT ;; down-client:) # connection to my client subnet going down @@ -278,18 +249,6 @@ down-client:) iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi ;; up-host:iptables) # connection to me, with (left/right)firewall=yes, coming up diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..74977608d --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16[ipv6-icmp] + remote_ts = fec1::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown index 6a5b18de6..e7c3640d4 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown @@ -223,50 +223,21 @@ case "$PLUTO_VERB:$1" in up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ;; down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT ;; down-client:) # connection to my client subnet going down @@ -278,18 +249,6 @@ down-client:) iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi ;; up-host:iptables) # connection to me, with (left/right)firewall=yes, coming up diff --git a/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat new file mode 100644 index 000000000..8cbf20027 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat @@ -0,0 +1,9 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat new file mode 100644 index 000000000..20aca8291 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert-ipv6/test.conf b/testing/tests/libipsec/net2net-cert-ipv6/test.conf new file mode 100644 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat index e489fec64..5364c1e82 100644 --- a/testing/tests/libipsec/net2net-cert/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 631adfcd3..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..239b7a4fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index b16440aa1..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..75b1c46f1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-cert/posttest.dat +++ b/testing/tests/libipsec/net2net-cert/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-cert/test.conf +++ b/testing/tests/libipsec/net2net-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat index c1aae4032..af619f4b8 100644 --- a/testing/tests/libipsec/net2net-null/evaltest.dat +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f206a16fb..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..15b978249 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 21b116595..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df65eb085 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-null/posttest.dat +++ b/testing/tests/libipsec/net2net-null/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-null/pretest.dat +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-null/test.conf b/testing/tests/libipsec/net2net-null/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-null/test.conf +++ b/testing/tests/libipsec/net2net-null/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt deleted file mode 100644 index a1b09405a..000000000 --- a/testing/tests/libipsec/rw-suite-b/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. -The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b> -certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption. -The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP -encryption. -<p/> -Upon the successful establishment of the IPsec tunnel, an updown script automatically -inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b> -tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping -the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat deleted file mode 100644 index 487a21c57..000000000 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > carol.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP dave.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > dave.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8106e28d2..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index a85635faf..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj -BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME -GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5 -nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR -Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49 -hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d29ddb9ee..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3d6725162..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9b6ca682a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index c83be145d..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh -RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c -CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3 -45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi -gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 17e94022e..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49 -AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO -gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf deleted file mode 100644 index abb34ac91..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="knl 3, esp 3" - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=%any - rightsourceip=10.3.0.0/24 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a3b043e82..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq -/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C -DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6 -Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl -RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 5bd2778a9..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49 -AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP -3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d68b6e57a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index c8f63bced..ee8cbcdef 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index f2c60511b..f5b116b3b 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 28a5cad31..2236a5f71 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 7af4b4e37..4aa2068f4 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf index 4234eb134..855ba919d 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat index a105fc040..cf289abd0 100644 --- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*60m.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 068d72917..f8b710495 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 374693e36..e918fc238 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index d0c7b9c76..084bcd2f4 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -6,9 +6,12 @@ carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index e1f0c22ae..94df5b360 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -5,9 +5,12 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index 576bd6738..614109c91 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net alice::ping -c 1 -W 1 10.2.0.10 bob::ping -c 1 -W 1 10.1.0.20 diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index 8fc6d1a1c..f5eef5528 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl sun::expect-connection net-net -moon::service charon start 2> /dev/null -moon::sleep 4 +moon::systemctl start strongswan-swanctl +moon::sleep 4 diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index d964629a2..3b1742150 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap-aka carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index 3f82576b6..8248b2d4d 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index 60a1055a2..0659eabbc 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -4,6 +4,9 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules @@ -13,9 +16,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index 8d61e4c87..d95028998 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -4,12 +4,15 @@ sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipse alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +alice::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +venus::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t alice::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf index ff6e7193e..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/swanctl/config-payload/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/config-payload/posttest.dat +++ b/testing/tests/swanctl/config-payload/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat index 9c281d032..706c08b5f 100755 --- a/testing/tests/swanctl/config-payload/pretest.dat +++ b/testing/tests/swanctl/config-payload/pretest.dat @@ -2,9 +2,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat index 210685a90..58dfa27b8 100644 --- a/testing/tests/swanctl/crl-to-cache/posttest.dat +++ b/testing/tests/swanctl/crl-to-cache/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/x509crl/* carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/swanctl/crl-to-cache/pretest.dat index 8f72f9cc7..b9e2a8eee 100644 --- a/testing/tests/swanctl/crl-to-cache/pretest.dat +++ b/testing/tests/swanctl/crl-to-cache/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 1f1e0a652..c00d3dc4b 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -4,14 +4,9 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat index 87e731511..37e8b02d8 100644 --- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl venus::cat /var/state/dhcp/dhcpd.leases venus::server isc-dhcp-server stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat index fd3d1bf5b..ace13851a 100644 --- a/testing/tests/swanctl/dhcp-dynamic/pretest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/pretest.dat @@ -3,9 +3,9 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/posttest.dat b/testing/tests/swanctl/frags-ipv4/posttest.dat index 17e36599c..2b4cc0c1a 100755 --- a/testing/tests/swanctl/frags-ipv4/posttest.dat +++ b/testing/tests/swanctl/frags-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/swanctl/frags-ipv4/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/frags-ipv4/pretest.dat +++ b/testing/tests/swanctl/frags-ipv4/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/posttest.dat b/testing/tests/swanctl/frags-ipv6/posttest.dat index 39b16a9be..07434159c 100755 --- a/testing/tests/swanctl/frags-ipv6/posttest.dat +++ b/testing/tests/swanctl/frags-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/swanctl/frags-ipv6/pretest.dat index 9593ac9f8..131ec9937 100755 --- a/testing/tests/swanctl/frags-ipv6/pretest.dat +++ b/testing/tests/swanctl/frags-ipv6/pretest.dat @@ -7,9 +7,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf index 11b1576e4..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf index be90bde25..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf index 885d986c3..31cf56d24 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici plugins { attr-sql { @@ -21,4 +16,5 @@ charon { pool { load = sqlite + database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/swanctl/ip-pool-db/posttest.dat index 2644b3941..9767f38a5 100755 --- a/testing/tests/swanctl/ip-pool-db/posttest.dat +++ b/testing/tests/swanctl/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 955a3c9be..9573581df 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -7,9 +7,9 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf index 67e5a616a..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/swanctl/ip-pool/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/ip-pool/posttest.dat +++ b/testing/tests/swanctl/ip-pool/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/ip-pool/pretest.dat +++ b/testing/tests/swanctl/ip-pool/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/posttest.dat b/testing/tests/swanctl/manual-prio/posttest.dat index fd9726374..c9dcaa167 100755 --- a/testing/tests/swanctl/manual-prio/posttest.dat +++ b/testing/tests/swanctl/manual-prio/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/swanctl/manual-prio/pretest.dat b/testing/tests/swanctl/manual-prio/pretest.dat index 8613a0189..ba345ffea 100755 --- a/testing/tests/swanctl/manual-prio/pretest.dat +++ b/testing/tests/swanctl/manual-prio/pretest.dat @@ -1,9 +1,9 @@ winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 carol::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index 40b0c5962..b18ba6809 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat index 25354d363..010a4f9c4 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat index a6909c89f..57d39a5e6 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -5,9 +5,9 @@ alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::radiusd -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/posttest.dat b/testing/tests/swanctl/multi-level-ca/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/multi-level-ca/posttest.dat +++ b/testing/tests/swanctl/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/swanctl/multi-level-ca/pretest.dat index 4c1be2e14..e7f2ef179 100644 --- a/testing/tests/swanctl/multi-level-ca/pretest.dat +++ b/testing/tests/swanctl/multi-level-ca/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection alice carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/swanctl/net2net-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat index 8d47767a0..30f6ede76 100755 --- a/testing/tests/swanctl/net2net-ed25519/posttest.dat +++ b/testing/tests/swanctl/net2net-ed25519/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat index f939b3ac4..410253e54 100755 --- a/testing/tests/swanctl/net2net-ed25519/pretest.dat +++ b/testing/tests/swanctl/net2net-ed25519/pretest.dat @@ -2,8 +2,8 @@ moon::rm /etc/swanctl/rsa/moonKey.pem sun::rm /etc/swanctl/rsa/sunKey.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/posttest.dat b/testing/tests/swanctl/net2net-gw/posttest.dat index 94914f832..b29cf321e 100755 --- a/testing/tests/swanctl/net2net-gw/posttest.dat +++ b/testing/tests/swanctl/net2net-gw/posttest.dat @@ -1,8 +1,8 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null sun::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null -carol::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-gw/pretest.dat b/testing/tests/swanctl/net2net-gw/pretest.dat index e3136491c..acfd0e95e 100755 --- a/testing/tests/swanctl/net2net-gw/pretest.dat +++ b/testing/tests/swanctl/net2net-gw/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl carol::expect-connection gw-moon carol::expect-connection gw-sun moon::expect-connection gw-gw diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf index 2ff6ac024..812c12bf9 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -4,15 +4,11 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf index b119e8274..1c5da7b88 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -1,14 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat index ba484f90d..dc6949dbb 100644 --- a/testing/tests/swanctl/net2net-multicast/posttest.dat +++ b/testing/tests/swanctl/net2net-multicast/posttest.dat @@ -1,3 +1,3 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat index 5b8d98879..c5b1bdbfd 100644 --- a/testing/tests/swanctl/net2net-multicast/pretest.dat +++ b/testing/tests/swanctl/net2net-multicast/pretest.dat @@ -1,7 +1,7 @@ moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat index c2227a5dd..a8696960d 100644 --- a/testing/tests/swanctl/net2net-pubkey/posttest.dat +++ b/testing/tests/swanctl/net2net-pubkey/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat index b4f48af72..021675bc5 100644 --- a/testing/tests/swanctl/net2net-pubkey/pretest.dat +++ b/testing/tests/swanctl/net2net-pubkey/pretest.dat @@ -2,8 +2,8 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules sun::cd /etc/swanctl; rm x509/* x509ca/* moon::cd /etc/swanctl; rm x509/* x509ca/* -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf index 4ca179a5f..61d2bd9e4 100755 --- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-route/posttest.dat +++ b/testing/tests/swanctl/net2net-route/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat index 459879bbc..fa303b64e 100755 --- a/testing/tests/swanctl/net2net-route/pretest.dat +++ b/testing/tests/swanctl/net2net-route/pretest.dat @@ -1,7 +1,7 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-start/posttest.dat +++ b/testing/tests/swanctl/net2net-start/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat index 6c1783b74..681293753 100755 --- a/testing/tests/swanctl/net2net-start/pretest.dat +++ b/testing/tests/swanctl/net2net-start/pretest.dat @@ -1,5 +1,5 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl moon::sleep 0.5 diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf index e3eb4e36d..79b138bd5 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } plugins { revocation { enable_ocsp = no } - } + } } diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf index 3912f5e07..2e78d2279 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf @@ -1,12 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { revocation { enable_ocsp = no diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/swanctl/ocsp-disabled/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-disabled/posttest.dat +++ b/testing/tests/swanctl/ocsp-disabled/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/swanctl/ocsp-disabled/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-disabled/pretest.dat +++ b/testing/tests/swanctl/ocsp-disabled/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf index acf2151a9..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/posttest.dat b/testing/tests/swanctl/ocsp-multi-level/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/ocsp-multi-level/posttest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/swanctl/ocsp-multi-level/pretest.dat index 7b83e219d..505f17572 100644 --- a/testing/tests/swanctl/ocsp-multi-level/pretest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection home carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index 9ea516013..c7b494ddc 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index 9ba617c0a..d9c31430b 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/swanctl/protoport-dual/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-dual/posttest.dat +++ b/testing/tests/swanctl/protoport-dual/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat index 87ee29bf6..2bdc109ab 100644 --- a/testing/tests/swanctl/protoport-dual/pretest.dat +++ b/testing/tests/swanctl/protoport-dual/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp moon::expect-connection ssh carol::expect-connection icmp diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/swanctl/protoport-range/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-range/posttest.dat +++ b/testing/tests/swanctl/protoport-range/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/swanctl/protoport-range/pretest.dat index b45d4b3c6..7f38b7662 100644 --- a/testing/tests/swanctl/protoport-range/pretest.dat +++ b/testing/tests/swanctl/protoport-range/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp-req moon::expect-connection icmp-rep moon::expect-connection ftp-ssh diff --git a/testing/tests/swanctl/rw-cert-pss/description.txt b/testing/tests/swanctl/rw-cert-pss/description.txt new file mode 100755 index 000000000..41c02b519 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b> +and <b>IKEv2 AUTH</b> payloads based on RSA-PSS signatures. +<p/> +Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat new file mode 100755 index 000000000..a62fda968 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7aceb6913 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha512 + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4c7c177ed --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha384 + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..4bd975a00 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + rsa_pss = yes + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4ba02ad6c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/posttest.dat b/testing/tests/swanctl/rw-cert-pss/posttest.dat new file mode 100755 index 000000000..b909ac76c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert-pss/pretest.dat b/testing/tests/swanctl/rw-cert-pss/pretest.dat new file mode 100755 index 000000000..dd1a17ccb --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/swanctl/rw-cert-pss/test.conf index f29298850..1227b9d1c 100644..100755 --- a/testing/tests/libipsec/rw-suite-b/test.conf +++ b/testing/tests/swanctl/rw-cert-pss/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/swanctl/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-cert/posttest.dat +++ b/testing/tests/swanctl/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-cert/pretest.dat +++ b/testing/tests/swanctl/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf index dcca175db..617b812d5 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/swanctl/rw-dnssec/posttest.dat index 48a4abe78..dba97a988 100644 --- a/testing/tests/swanctl/rw-dnssec/posttest.dat +++ b/testing/tests/swanctl/rw-dnssec/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/swanctl/rw-dnssec/pretest.dat index 5faf602fc..ca44e08fc 100644 --- a/testing/tests/swanctl/rw-dnssec/pretest.dat +++ b/testing/tests/swanctl/rw-dnssec/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat index 3842250e6..2fa2d200d 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat @@ -3,8 +3,8 @@ carol::iptables-restore < /etc/iptables.rules carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat index 96c1ed114..8cc1c4dc5 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf index c090d6853..9c4e819c5 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/posttest.dat b/testing/tests/swanctl/rw-hash-and-url/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-hash-and-url/posttest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/swanctl/rw-hash-and-url/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf index 22b318472..b8874523b 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf index a55b90a5d..c2b18d966 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce des sha1 sha2 hmac pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf index e7b5caaf8..85354251d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes des sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat index 37029c074..dc541004d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf index 6bfef3d39..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf index 1d90adb5d..475705026 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf index d4e3ca2e5..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -1,18 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { +charon-systemd { load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat index a550a2f6d..7772b25eb 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index c6dd6be45..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,14 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat index 58d5b8675..84935ec51 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat index a550a2f6d..7772b25eb 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index e539ea5f4..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 02f6c1b36..a12456f26 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index c42979965..f196d2431 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat index 3393f516d..51c301923 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 5efaed621..0325fe9a2 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat index 5faf602fc..ca44e08fc 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat index de43d510d..e0ca17a4c 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat @@ -5,9 +5,9 @@ moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index e5c0136d8..91e32f7ba 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat index d6bc0709e..e871fba2b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat @@ -1,9 +1,9 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t venus::expect-connection nat-t diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/swanctl/xauth-rsa/posttest.dat +++ b/testing/tests/swanctl/xauth-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat index 762c35418..dd1a17ccb 100644 --- a/testing/tests/swanctl/xauth-rsa/pretest.dat +++ b/testing/tests/swanctl/xauth-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index a3d85b054..aacee2221 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 80c96b677..305a9d1e6 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index 691cdbc2d..5d17eb638 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index cc0ce6c31..efddc609e 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 978cc6659..a534ac66e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index 0bc6e3525..469e81156 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf index 387236ebc..cbaf67c89 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index db806c3c9..ab96df0ed 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second carol::echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 5745ffede..7d0dfa385 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -15,9 +15,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 09ca9d0e4..1ca6c3d10 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 9c6f28fe3..9df983c80 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } + syslog { daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 57e2ee6b4..bb2ce93b3 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index af30c204d..649426628 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 524536228..0a20b9407 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index bba631b1f..ad5cb6205 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11/posttest.dat +++ b/testing/tests/tnc/tnccs-11/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index fac3dc02d..aa8bb7cd3 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index 168e4ec64..b3d3049be 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index bb15d3ffa..b3845a3ee 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-block/posttest.dat +++ b/testing/tests/tnc/tnccs-20-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index c09abf917..13677a470 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index aceddc368..fa3458e22 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = isolate + command = isolate retry = yes retry_command = allow } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 7ac1a5d70..f4d6543aa 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index a0b807755..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat index 2248d002c..a327dae63 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat @@ -11,7 +11,7 @@ alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by T alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -20,5 +20,5 @@ alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by passwo alice::cat /var/log/daemon.log::received software ID events with ... items for request 9 at last eid 2 of epoch::YES alice::cat /var/log/daemon.log::3 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 3 items for request 9 at last eid 2 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat index c0d732368..3e4fbefa1 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf index 073355713..e91440326 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf index 6c1b9917b..6c84f3abb 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 @@ -24,7 +17,7 @@ charon { } tnccs-20 { tests { - pb_tnc_noskip = yes + pb_tnc_noskip = yes } } } diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf index 56fa7a967..66c6cb541 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf index cb6abf305..a6e58ba4e 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat index 9af5f39a2..8158822a6 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index 5af3b7500..d61ea90ad 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -4,8 +4,8 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config carol::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index c3338d43b..aa4934fb1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 89d9e50bd..8fc1c8729 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 0cd34865c..4732fbd4b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index 195534315..fb77fd87e 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -36,5 +30,5 @@ charon { libimcv { debug_level = 3 - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf index f0a6c4bde..883f154b8 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -43,7 +36,7 @@ libimcv { plugins { imc-hcd { - push_info = no + push_info = no subtypes { system { attributes_natural_language = en @@ -78,7 +71,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch for App XYZ 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -137,7 +130,7 @@ libimcv { version = 00000007000000080000000000000000 } } - + resident_application { resident-app-if { name = Resident Interface App @@ -150,10 +143,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf index f5c3440c1..9f1718992 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -52,18 +45,18 @@ libimcv { vendor_smi_code = 36906 pstn_fax_enabled = yes time_source = 0.ch.pool.ntp.org - user_application_enabled = no + user_application_enabled = no user_application_persistence_enabled = no firmware { fw-1 { - name = Firmware ABC + name = Firmware ABC patches = "security patch 2014-05-08\r\nupgrade 2014-08-16\r\nsecurity patch 2015-3-22\r\n" string_version = 1.0.7 version = 00000001000000000000000700000000 } fw-2 { - name = Firmware UVW + name = Firmware UVW string_version = 13.8.5 version = 0000000D000000080000000500000000 } @@ -71,7 +64,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -96,7 +89,7 @@ libimcv { interface { attributes_natural_language = en - + firmware { fw-if { name = Interface Firmware @@ -118,10 +111,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf index 4dae69352..08e5e38e5 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf @@ -1,17 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat index bcd655353..33a60f9ab 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat @@ -1,7 +1,7 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop -alice::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index f9b4159d9..decc2394a 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -9,10 +9,10 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::rm /etc/swanctl/rsa/aliceKey.pem alice::rm /etc/swanctl/x509/aliceCert.pem -alice::service charon start -moon::service charon start -carol::service charon start -dave::service charon start +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf index a555970ec..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +29,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf index b2280db18..7e049dc02 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = none + command = none } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf index 1212e2356..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -40,6 +33,6 @@ libimcv { } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf index f29175d67..879a3cdac 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf index 9e694bc01..b596dbc1b 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 +charon-systemd { + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat index d1f83a319..767e8f2ba 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -1 +1 @@ -sun::service charon stop +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index 8642292a8..9da18266e 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ -sun::service charon start +sun::systemctl start strongswan-swanctl moon::cat /etc/pts/options moon::sleep 1 moon::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat index 198b2bde3..7850e2e74 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat @@ -10,7 +10,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -21,5 +21,5 @@ alice::cat /var/log/daemon.log::received software ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 8056a90e9..5dbfa8247 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -1,19 +1,19 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf index d3941d811..3e4d76f10 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 134cd991c..2e249d48d 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index e58bab611..a683ba77c 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 pts = 3 } @@ -34,10 +27,10 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { - hash_algorithm = sha1 + hash_algorithm = sha256 } } } diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 03e5f22af..1167f55ea 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -12,14 +12,14 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index ef90078f2..3ec0227b2 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 4af05ad31..7de2756a9 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 53c515f77..8e8fda6c4 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 13ae2b71f..3c5037aae 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -13,9 +13,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 240ebbafb..e01fe4b4c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -35,7 +29,7 @@ charon { } libimcv { - debug_level = 3 + debug_level = 3 database = sqlite:///etc/db.d/config.db policy_script = /usr/local/libexec/ipsec/imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index 47b9affed..a8aff3883 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index d00808398..852e0714e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf index 8b931afc9..bcf316622 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index e5ec2afc7..97850dc97 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -1,8 +1,8 @@ -moon::service charon stop -carol::service charon stop -dave::service charon stop -alice::service charon stop -alice::service apache2 stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/x509/aaaCert.pem alice::rm /etc/swanctl/rsa/aaaKey.pem moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index 385cc305a..15dcc54d8 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -17,11 +17,11 @@ alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc -alice::service apache2 start -alice::service charon start -moon::service charon start -dave::service charon start -carol::service charon start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index fc232bfde..bf4191618 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -9,7 +9,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -19,5 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index b08a85bb4..944a5928d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -29,7 +26,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swid { @@ -39,6 +36,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index f4fb7e2dc..3b477dd81 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index b7a772692..9da89723d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index 46ed39bb8..1e5f7becf 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index 2eb34841d..8ebf56878 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -1,22 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 3 imc = 3 - pts = 3 + pts = 3 } } } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index e9fa8cb80..0b47d35e7 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index e58bab611..bf14fe327 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { hash_algorithm = sha1 diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 7e51900a1..7f7f52869 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = allow } } diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index 4aeda6674..d93482b10 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { @@ -32,7 +25,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = isolate } imc-scanner { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 902e837f5..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imv = 2 + imv = 2 } } plugins { @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index 73f32424e..dab32e727 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 07df4c086..e26da3e7a 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index 7aef92f39..66799c1e4 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index 1d11baa99..57985e682 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index 887806475..da21bc6f8 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index e78272b43..e90055fad 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20/posttest.dat +++ b/testing/tests/tnc/tnccs-20/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index 609852bc7..f0f941815 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index 2c0deca5e..e5925a4cf 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index d61bcd111..0261fe1b0 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-dynamic/posttest.dat +++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home |